<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="UTF-8">
    <meta name="renderer" content="webkit">
    <meta http-equiv="X-UA-Compatible" content="IE=edge, chrome=1">
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"/>
    <meta name="description" content="iptables:Linux上常用的防火墙软件 - 最专业的Linux命令大全，内容包含Linux命令手册、详解、学习，值得收藏的Linux命令速查手册。">
    <meta name="keywords" content="Linux,Command,命令大全,Linux命令手册,iptables,Linux上常用的防火墙软件">
    <title>iptables 命令，Linux iptables 命令详解：Linux上常用的防火墙软件 -  Linux 命令搜索引擎</title>
    <link rel="shortcut icon" href="../img/favicon.ico">
    <link rel="stylesheet" type="text/css" href="../css/index.css?v=1671615307305">
    <script src="../js/dark-mode.min.js"></script>
    <script type="module" src="../js/github-corners.js"></script>
</head>
<body>
<dark-mode permanent dark="Dark" light="Light" style="position: fixed;left: 10px;top: 8px; z-index: 999;"></dark-mode>
<github-corners target="__blank" z-index="999" position="fixed" href="https://github.com/jaywcjlove/linux-command"></github-corners>
<div class="header header_list">
  <div class="header_inner">
      <div class="logo">
          <a href="/">
            <svg width="183px" height="48px" viewBox="0 0 183 48" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <!-- kenny wang <wowohoo@qq.com> https://github.com/jaywcjlove --> <title>logo</title> <desc>Linux Command Logo. https://github.com/jaywcjlove</desc><g stroke="none" stroke-width="1" fill="none" fill-rule="evenodd"> <g transform="translate(-576.000000, -261.000000)" fill="currentColor"> <g id="logo" transform="translate(576.000000, 261.000000)"> <path d="M20.4917792,0.000336524232 C20.1886146,-0.000100520225 19.8723998,0.0124863601 19.542641,0.0387964365 C11.2083649,0.710004944 13.4186692,9.51473754 13.2949769,12.4631618 C13.1427718,14.6193207 12.7056049,16.3185233 11.2226825,18.426428 C9.48047033,20.4982285 7.02763261,23.8514609 5.86566251,27.3420607 C5.3172635,28.9894735 5.05630425,30.6686289 5.29730805,32.2578406 C5.22181299,32.325447 5.14994103,32.3962788 5.08160039,32.469239 C4.57008792,33.0153217 4.19213625,33.6769851 3.77100458,34.1224689 C3.37755968,34.5149436 2.81698897,34.6642292 2.20097918,34.8852382 C1.58472464,35.1063477 0.908127379,35.4323261 0.497432332,36.2204265 C0.497432332,36.2204265 0.497432332,36.2207368 0.49712203,36.2207368 C0.496684986,36.222048 0.495373852,36.2233591 0.494936808,36.2246702 L0.494936808,36.2246702 C0.123151829,36.919077 0.233680372,37.718746 0.347224522,38.4596325 C0.460773043,39.2004972 0.575720105,39.9005856 0.423139144,40.3755699 C-0.0645762474,41.7086473 -0.126850712,42.6307542 0.216491414,43.2996202 C0.560563403,43.9698759 1.2680029,44.2657113 2.06756262,44.432706 C3.66668644,44.7666954 5.83232039,44.6837094 7.53908826,45.5883128 L7.68579097,45.3115063 L7.54060917,45.5891344 C9.36778716,46.5444437 11.2201913,46.8837519 12.698079,46.5461831 C13.7695766,46.3014513 14.6393781,45.6634363 15.0860725,44.6816946 C16.2420201,44.6760567 17.5104717,44.1864315 19.5423657,44.0745568 C20.9208039,43.9635213 22.6427241,44.564051 24.6233484,44.4540775 C24.6751207,44.6689591 24.750052,44.8756375 24.8526175,45.0720452 C24.8539287,45.0742305 24.8548028,45.0759786 24.8556769,45.0780328 C25.6234722,46.6133699 27.0500902,47.3156173 28.570428,47.1956355 C30.0927718,47.075492 31.711331,46.1778551 33.0196848,44.6208231 L32.7798304,44.4192582 L33.0215204,44.618616 C34.2685787,43.1065034 36.3384911,42.4794975 37.7110118,41.6516741 C38.3972721,41.2377581 38.9541192,40.7194802 38.9971462,39.966706 C39.0401514,39.2142991 38.5984218,38.3711223 37.5826868,37.2436088 L37.5823765,37.2432985 C37.5820662,37.2428614 37.5815024,37.2424244 37.5810654,37.2415503 C37.2473295,36.8644028 37.0881185,36.1654026 36.91702,35.4210285 C36.7460395,34.6771089 36.5551865,33.8746254 35.9444344,33.3545687 L35.9444344,33.3545687 C35.9431233,33.3532575 35.9418121,33.3523835 35.940938,33.3515094 L35.940938,33.3515094 C35.6978714,33.1397045 35.4452772,32.9959518 35.1909042,32.8993694 C36.0400422,30.3810493 35.7068789,27.8734149 34.8497254,25.6073831 C33.7977638,22.8263338 31.9611937,20.4030752 30.5585738,18.7453569 C28.9885703,16.7650385 27.4529665,14.8848863 27.4832187,12.1079627 C27.5299825,7.86977213 27.9494053,0.0101787654 20.4914689,0 L20.4917792,0.000336524232 Z M21.5014393,6.5296802 C21.9246338,6.5296802 22.2860696,6.65372652 22.6573476,6.92320377 C23.0345213,7.1969553 23.3062494,7.53965497 23.5252523,8.01821865 C23.7401952,8.48461502 23.843613,8.94086321 23.8537568,9.48229573 C23.8537568,9.49649968 23.8537568,9.50864951 23.8576902,9.52285346 C23.8616236,10.0784681 23.7664397,10.5509481 23.5555483,11.0335676 C23.4352081,11.3089536 23.2970146,11.540089 23.1316064,11.7401941 C23.0754506,11.7132285 23.0171357,11.6873118 22.9566488,11.6624396 L22.9566488,11.6624396 C22.5373789,11.4828667 22.2157491,11.3685884 21.9476879,11.2755722 C22.044856,11.158772 22.1257661,11.0202464 22.1969169,10.8470719 C22.3043949,10.5854877 22.3571155,10.3299784 22.367255,10.025813 C22.367255,10.0136631 22.3711884,10.00348 22.3711884,9.98931975 C22.3772633,9.69732161 22.3387597,9.44789596 22.2535753,9.19239103 C22.1643483,8.92472316 22.0507955,8.73208707 21.886541,8.57188842 C21.722291,8.41168541 21.5580366,8.33869024 21.361336,8.33260221 C21.3521143,8.33216517 21.3429364,8.33216517 21.3338459,8.33216517 C21.1488275,8.33260221 20.9881699,8.39616596 20.8219532,8.53532529 C20.6475593,8.6813331 20.5177834,8.86788115 20.4103054,9.12744186 C20.3028318,9.38699819 20.2501067,9.64452664 20.239976,9.95073309 C20.2377908,9.96288293 20.2377908,9.97306607 20.2377908,9.9852159 C20.2342945,10.1535261 20.2449584,10.307711 20.2709188,10.4574381 C19.8923378,10.2687966 19.535574,10.1401875 19.2007499,10.0604924 C19.181651,9.91570835 19.1706375,9.76629596 19.1670975,9.61007442 L19.1670975,9.56750629 C19.1610225,9.01391519 19.2522643,8.53941165 19.4651836,8.05679657 C19.6781029,7.57417712 19.9417194,7.2274173 20.3128051,6.94555422 C20.6838952,6.66369114 21.0488973,6.53391079 21.4808239,6.52985938 L21.5010154,6.52985938 L21.5014393,6.5296802 Z M15.7091362,6.98827969 C15.9898804,6.98871673 16.2410892,7.0827381 16.5009296,7.29023807 C16.7828014,7.51531597 16.9957164,7.80326271 17.1741616,8.20882685 C17.3526112,8.614391 17.4479175,9.01995077 17.4742757,9.49851445 L17.4742757,9.50244785 C17.4870374,9.70344023 17.485464,9.89263677 17.469643,10.0758677 C17.4141165,10.091645 17.3597045,10.1087334 17.3064069,10.1270762 C17.0036968,10.2312719 16.7369205,10.373272 16.5044085,10.5268101 C16.5271785,10.366205 16.5305437,10.2032486 16.5131057,10.0215605 C16.5109204,10.0114211 16.5109204,10.0032921 16.5109204,9.99319633 C16.4865771,9.75189098 16.435893,9.54911109 16.3507218,9.34429895 C16.2594713,9.131384 16.1580813,8.98132478 16.0242452,8.86573527 C15.9029566,8.76098882 15.7883592,8.71289208 15.6622806,8.71384046 C15.6492567,8.71384046 15.636058,8.71427751 15.6227281,8.71558864 C15.4807804,8.72773848 15.3631674,8.79669098 15.251638,8.93255936 C15.1401086,9.068419 15.0671091,9.23672919 15.0143884,9.4597792 C14.9616634,9.68284232 14.9474682,9.90184967 14.9697706,10.1532945 C14.9697706,10.1634339 14.9719558,10.1715629 14.9719558,10.1816586 C14.9962992,10.4249963 15.0449553,10.6277718 15.1321501,10.8325883 C15.2213771,11.0434797 15.3247905,11.1935346 15.4586266,11.3091153 C15.481047,11.3284764 15.5032139,11.3458708 15.525289,11.361399 C15.3860816,11.468536 15.3196072,11.5179308 15.2055298,11.6017559 C15.1323642,11.6554425 15.0452263,11.7193646 14.94395,11.7940162 C14.7230765,11.5871106 14.5507673,11.3270648 14.4001137,10.984671 C14.2216641,10.5791112 14.1263578,10.1735471 14.0979674,9.69498342 L14.0979674,9.69105002 C14.0716136,9.21249508 14.1182463,8.8008429 14.2500545,8.37500864 C14.3818627,7.94916563 14.5582845,7.6409444 14.813785,7.38745861 C15.06929,7.13399031 15.3268184,7.00623784 15.6370763,6.99001912 C15.6613322,6.98870799 15.6853347,6.98827095 15.709123,6.98827095 L15.7091362,6.98827969 Z M18.3434478,10.3083666 C18.9959552,10.3057443 19.7811624,10.5197693 20.731756,11.1309629 C21.3156605,11.5106715 21.7700031,11.5424053 22.8162176,11.9904939 L22.8175288,11.9909309 L22.8188399,11.991368 C23.322219,12.1979021 23.6176741,12.4671083 23.7620255,12.7505841 C23.906377,13.034073 23.9099039,13.3414857 23.7890786,13.6648724 C23.5474411,14.3116676 22.7761407,14.9923468 21.6937826,15.3303395 L21.6929085,15.3307766 L21.6920344,15.3312136 C21.1642857,15.5026793 20.7040867,15.8813302 20.1615484,16.1915706 C19.6190277,16.5017979 19.00512,16.7520102 18.1703739,16.7037212 C18.1703739,16.7037168 18.1703739,16.7037212 18.1703739,16.7037212 C17.4597396,16.6622893 17.0349499,16.4210539 16.650849,16.1123607 C16.2667437,15.8036631 15.9320245,15.4158517 15.4418966,15.1280491 L15.4405854,15.1271751 L15.4392743,15.126301 C14.6497885,14.6800742 14.2187709,14.163964 14.0834969,13.7165354 C13.9482185,13.2691068 14.075193,12.8871911 14.4668766,12.5936327 C14.9072645,12.2635986 15.2131825,12.0390976 15.4169632,11.8895453 C15.6194022,11.7409983 15.703625,11.685297 15.7680935,11.623394 C15.7684038,11.622957 15.7685305,11.622957 15.7689675,11.6225199 L15.7692735,11.6220829 C16.1001729,11.3088706 16.6276463,10.738226 17.4227569,10.4645313 C17.696421,10.3703264 18.001784,10.3095466 18.3435746,10.3081961 L18.3434478,10.3083666 Z M22.9062619,13.0069369 C22.6246829,13.0237631 22.3297828,13.1687002 21.9864013,13.3604054 C21.6430199,13.5521105 21.256878,13.7973406 20.8384079,14.0388338 C20.0014721,14.5218204 19.038047,14.9837283 18.0805918,14.9837283 C17.1216551,14.9837283 16.3555118,14.5408493 15.7808726,14.0854752 C15.4935509,13.8577838 15.2564149,13.6284404 15.0669561,13.4510265 C14.9722311,13.3623109 14.8900799,13.2867065 14.8134179,13.2276487 C14.7367734,13.1685909 14.6743853,13.1100357 14.5461303,13.1100357 L14.5400116,13.3795435 C14.5308337,13.4697233 14.5213935,13.4669437 14.5251084,13.4693999 C14.5310959,13.4733333 14.5608587,13.4835601 14.5955731,13.5103509 C14.6519344,13.5537495 14.7301609,13.6245375 14.8230067,13.7114832 C15.0086981,13.8853788 15.2554403,14.124464 15.5592255,14.3652012 C16.166796,14.8466668 17.0117515,15.3406363 18.0806093,15.3406363 C19.1509618,15.3406363 20.1636375,14.8403471 21.016875,14.3479598 C21.4434872,14.1017639 21.8309534,13.8560094 22.1604324,13.6720705 C22.4898897,13.4881185 22.7670895,13.3727781 22.9275766,13.3632068 L22.9062925,13.00695 L22.9062619,13.0069369 Z M23.8576858,14.2878093 C24.5685911,17.0901733 26.2220701,21.1378562 27.2848005,23.113201 C27.8496849,24.1612205 28.9735097,26.3878921 29.4590574,29.0706371 C29.7667148,29.0611969 30.1054855,29.1059065 30.4682673,29.1987042 C31.7377591,25.907589 29.3917525,22.3626165 28.3189832,21.375368 C27.8858722,20.9551061 27.8650557,20.7668098 28.0797669,20.7757081 C29.2436775,21.8049915 30.7716374,23.8752142 31.3275492,26.211938 C31.581035,27.2774436 31.6350799,28.3975886 31.3630809,29.5030663 C31.4961478,29.5583437 31.6312951,29.6184504 31.7682604,29.683286 C33.806037,30.6755779 34.5596721,31.5384567 34.1973186,32.716121 C34.0779748,32.7117506 33.960576,32.7126247 33.8460659,32.7152469 C33.8354021,32.7155572 33.8247819,32.715684 33.814118,32.716121 C34.1092104,31.7826203 33.4554837,31.0941179 31.7135031,30.305952 C29.9067264,29.5110511 28.4669839,29.5901387 28.2236507,31.2022427 C28.2080919,31.2867016 28.1955487,31.3727644 28.1860212,31.460029 C28.05104,31.506902 27.9153158,31.5667509 27.7792552,31.6412014 C26.9308557,32.1054213 26.4677896,32.9477371 26.2102393,33.9808403 C25.9529032,35.0131131 25.8791213,36.2610673 25.8081016,37.6639101 L25.8081016,37.6647842 C25.7647031,38.3701826 25.4746935,39.3242507 25.1805582,40.3347805 C22.2207839,42.446033 18.1128938,43.3607409 14.6251435,40.9805006 C14.3887768,40.6065916 14.1176344,40.2361221 13.8385378,39.8707355 C13.6603154,39.6373843 13.4772332,39.4054841 13.2952172,39.1768225 C13.6532528,39.1768225 13.9575843,39.1184771 14.2035442,39.0069433 C14.5094142,38.8682516 14.724322,38.6454901 14.8306462,38.3594969 C15.0432858,37.7875325 14.8297721,36.9806654 14.1489836,36.0592664 C13.4682956,35.137933 12.3154554,34.0981212 10.6214273,33.0592009 C10.6214273,33.0592009 10.621117,33.0592009 10.621117,33.0588906 C9.37658486,32.2846183 8.68057408,31.3355981 8.3547924,30.3051959 C8.02898013,29.2747018 8.07466439,28.1604089 8.32577265,27.0602631 C8.80774091,24.9485692 10.0461107,22.8947793 10.8362565,21.605909 C11.0489879,21.4493815 10.9122629,21.8964561 10.0363515,23.5230089 C9.25134103,25.0101357 7.78376323,28.4420972 9.79314068,31.1210705 C9.84684033,29.2145776 10.3021401,27.2701931 11.0664741,25.45145 C12.1797968,22.9278068 14.5084483,18.5514927 14.6933968,15.0635108 C14.7887555,15.1327561 15.1164383,15.3538525 15.2624505,15.4368866 C15.2627608,15.4373237 15.2628875,15.4373237 15.2633246,15.4373237 C15.6905181,15.6888908 16.0113611,16.0566244 16.426903,16.3905832 C16.8432709,16.7252019 17.3634237,17.0142238 18.149269,17.0600129 L18.149269,17.0600129 C19.066516,17.113092 19.7655905,16.8289912 20.3383504,16.5014745 C20.9102449,16.1744603 21.3671137,15.8125482 21.7999582,15.6712779 C21.8003952,15.6708409 21.8012693,15.6708409 21.8017063,15.6708409 C22.7163355,15.3848215 23.44356,14.8785842 23.857393,14.2881327 L23.8576858,14.2878093 Z M29.6669682,30.3312962 C30.0374289,30.329548 30.4861993,30.4530917 30.9774372,30.6728508 C32.2995623,31.2832227 32.713238,31.8063999 32.3522873,32.5749338 C32.0481219,33.1548918 30.7462669,34.0775407 29.8540319,33.8342075 C28.9435503,33.5989814 28.4994564,32.2869871 28.6474877,31.2953987 C28.7267763,30.6220356 29.1076387,30.3339097 29.6669682,30.3312962 L29.6669682,30.3312962 Z M28.1710786,32.1433306 C28.2458176,33.3559191 28.8457529,34.5926195 29.9067526,34.8602742 C31.0678224,35.1661922 32.7418469,34.16998 33.4486352,33.3574182 C33.5895689,33.3517803 33.7273516,33.3448313 33.8611658,33.3416409 C34.4811527,33.3266503 35.001157,33.3620509 35.5324588,33.8267253 L35.534207,33.8284735 L35.5359552,33.8302216 C35.9442465,34.1761336 36.1383204,34.8298385 36.3066481,35.5621545 C36.4749627,36.294475 36.6095636,37.0920505 37.11435,37.6602345 L37.115224,37.6611086 L37.1156611,37.6619827 C38.0861227,38.7388952 38.3980544,39.4668146 38.3715083,39.931406 C38.344936,40.3960279 38.008556,40.7409347 37.3873891,41.1155867 C36.1455928,41.864576 33.9453056,42.5158727 32.5399192,44.2181871 C31.3196037,45.6704378 29.8315635,46.4680352 28.5210638,46.5714617 C27.2105642,46.6748883 26.0799127,46.1309646 25.4133237,44.793071 L25.4115756,44.7900117 L25.4098274,44.7869524 C24.9962959,44.0002986 25.1685614,42.758852 25.5169207,41.4493706 C25.8652845,40.1398937 26.3657922,38.7953264 26.4327911,37.7024923 L26.4327911,37.7007442 L26.4327911,37.698996 C26.5036666,36.2987755 26.5820418,35.0759688 26.8172504,34.1324728 C27.0524633,33.1889769 27.4228236,32.5499829 28.0790545,32.1909116 C28.109604,32.1742165 28.139948,32.1584392 28.1701128,32.1435097 L28.1710786,32.1433306 Z M6.86074718,32.2348346 C6.95869322,32.2351449 7.06234705,32.2434006 7.17277507,32.2601394 C7.91559769,32.3726653 8.5633675,32.8920358 9.18746261,33.7385341 C9.8115621,34.5850455 10.3922762,35.7405823 10.9892352,37.0223812 L10.9901093,37.0241294 L10.9905463,37.0258776 C11.4702594,38.0271115 12.4825418,39.128044 13.3403902,40.2511564 C14.1982341,41.3742689 14.8621527,42.5016163 14.7756966,43.3644732 L14.7753863,43.3684066 L14.775076,43.37234 C14.6632363,44.843978 13.8330966,45.6451198 12.5587449,45.9361914 C11.2847734,46.2271625 9.55771794,45.9379396 7.83269472,45.035587 L7.83094655,45.035587 C5.9224477,44.0247687 3.65205856,44.1251622 2.19566909,43.8209924 C1.46727769,43.6688572 0.99200058,43.44013 0.773862951,43.0151698 C0.55571221,42.5902315 0.550839164,41.8488511 1.01440785,40.5847437 L1.01659307,40.5791059 L1.01834125,40.573468 C1.24759292,39.8663213 1.07793226,39.0925822 0.96663015,38.3663367 C0.855328038,37.6400911 0.800894151,36.9795116 1.04888192,36.5190765 L1.05019305,36.5168913 L1.05150418,36.514706 C1.36900824,35.9026821 1.83472718,35.683902 2.41273159,35.4765375 C2.990736,35.2691556 3.67612223,35.1062953 4.21734934,34.5638925 L4.21997161,34.5612703 L4.22259387,34.558648 C4.72293985,34.0308163 5.09877623,33.3691834 5.53863963,32.8995879 C5.90977341,32.5033678 6.28118253,32.2407652 6.84099715,32.2368755 L6.86053303,32.2368755 L6.86074718,32.2348346 Z"></path> <path d="M58.5014648,40 L58.5014648,6.7578125 L65.4194336,6.7578125 L65.4194336,35.2832031 L80.4008789,35.2832031 L80.4008789,40 L58.5014648,40 L58.5014648,40 L58.5014648,40 Z M86.2524414,40 L86.2524414,15.3378906 L92.9008789,15.3378906 L92.9008789,40 L86.2524414,40 L86.2524414,40 L86.2524414,40 Z M86.2524414,11.1826172 L86.2524414,5.63476562 L92.9008789,5.63476562 L92.9008789,11.1826172 L86.2524414,11.1826172 L86.2524414,11.1826172 L86.2524414,11.1826172 Z M100.211426,40 L100.211426,15.3378906 L106.859863,15.3378906 L106.859863,19.9873047 C109.031098,16.513329 111.8312,14.7763672 115.260254,14.7763672 C117.461437,14.7763672 119.198399,15.4726493 120.471191,16.8652344 C121.743984,18.2578195 122.380371,20.1594932 122.380371,22.5703125 L122.380371,40 L115.731934,40 L115.731934,24.2099609 C115.731934,21.4098167 114.803557,20.0097656 112.946777,20.0097656 C110.835439,20.0097656 108.806488,21.4996596 106.859863,24.4794922 L106.859863,40 L100.211426,40 L100.211426,40 L100.211426,40 Z M145.672363,40 L145.672363,35.3505859 C143.516102,38.8245616 140.716,40.5615234 137.271973,40.5615234 C135.07079,40.5615234 133.333828,39.8652413 132.061035,38.4726562 C130.788242,37.0800712 130.151855,35.1783975 130.151855,32.7675781 L130.151855,15.3378906 L136.800293,15.3378906 L136.800293,31.1279297 C136.800293,33.9280739 137.736156,35.328125 139.60791,35.328125 C141.704275,35.328125 143.725739,33.838231 145.672363,30.8583984 L145.672363,15.3378906 L152.320801,15.3378906 L152.320801,40 L145.672363,40 L145.672363,40 L145.672363,40 Z M158.003418,40 L166.471191,27.6240234 L158.362793,15.3378906 L165.932129,15.3378906 L171.23291,23.1542969 L176.309082,15.3378906 L181.699707,15.3378906 L173.973145,27.4443359 L182.26123,40 L174.691895,40 L169.166504,31.8466797 L163.506348,40 L158.003418,40 L158.003418,40 L158.003418,40 Z"></path> </g> </g> </g> </svg> 
          </a>
      </div>
      <div class="search">
          <ul class="search-list" id="result">
            <!-- <li><a href="#"><strong>find</strong> - 指定目录下查找文件。</a></li> -->
          </ul>
          <input type="text" class="query" id="query" autocomplete="off" autofocus="autofocus" placeholder="Linux 命令搜索"/>
          <div class="enter-input">
              <input type="hidden" id="current_path" value="/c/iptables.html">
              <button id="search_btn">搜索</button>
          </div>
      </div>
  </div>
</div>
<script type="text/javascript" src="../js/copy-to-clipboard.js"></script>

<div class="markdown-body">

<span class="edit_btn">
<a target="_blank" href="https://github.com/jaywcjlove/linux-command/edit/master/command/iptables.md">纠正错误</a> 
<span class="split"></span>
<a target="_blank" href="https://github.com/jaywcjlove/linux-command/edit/master/command/iptables.md">添加实例</a>
</span>


<script>const __TEMPLATE__ = document.createElement('template');
__TEMPLATE__.innerHTML = `
<style>

markdown-style h1:hover a.anchor .octicon-link:before,
markdown-style h2:hover a.anchor .octicon-link:before,
markdown-style h3:hover a.anchor .octicon-link:before,
markdown-style h4:hover a.anchor .octicon-link:before,
markdown-style h5:hover a.anchor .octicon-link:before,
markdown-style h6:hover a.anchor .octicon-link:before {
  width: 16px;
  height: 16px;
  content: ' ';
  display: inline-block;
  background-color: currentColor;
  -webkit-mask-image: url("data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16' version='1.1' aria-hidden='true'><path fill-rule='evenodd' d='M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z'></path></svg>");
  mask-image: url("data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16' version='1.1' aria-hidden='true'><path fill-rule='evenodd' d='M7.775 3.275a.75.75 0 001.06 1.06l1.25-1.25a2 2 0 112.83 2.83l-2.5 2.5a2 2 0 01-2.83 0 .75.75 0 00-1.06 1.06 3.5 3.5 0 004.95 0l2.5-2.5a3.5 3.5 0 00-4.95-4.95l-1.25 1.25zm-4.69 9.64a2 2 0 010-2.83l2.5-2.5a2 2 0 012.83 0 .75.75 0 001.06-1.06 3.5 3.5 0 00-4.95 0l-2.5 2.5a3.5 3.5 0 004.95 4.95l1.25-1.25a.75.75 0 00-1.06-1.06l-1.25 1.25a2 2 0 01-2.83 0z'></path></svg>");
}
[data-color-mode*='light'], [data-color-mode*='light'] body, markdown-style[theme*='light'] { --color-prettylights-syntax-comment: #6e7781; --color-prettylights-syntax-constant: #0550ae; --color-prettylights-syntax-entity: #8250df; --color-prettylights-syntax-storage-modifier-import: #24292f; --color-prettylights-syntax-entity-tag: #116329; --color-prettylights-syntax-keyword: #cf222e; --color-prettylights-syntax-string: #0a3069; --color-prettylights-syntax-variable: #953800; --color-prettylights-syntax-brackethighlighter-unmatched: #82071e; --color-prettylights-syntax-invalid-illegal-text: #f6f8fa; --color-prettylights-syntax-invalid-illegal-bg: #82071e; --color-prettylights-syntax-carriage-return-text: #f6f8fa; --color-prettylights-syntax-carriage-return-bg: #cf222e; --color-prettylights-syntax-string-regexp: #116329; --color-prettylights-syntax-markup-list: #3b2300; --color-prettylights-syntax-markup-heading: #0550ae; --color-prettylights-syntax-markup-italic: #24292f; --color-prettylights-syntax-markup-bold: #24292f; --color-prettylights-syntax-markup-deleted-text: #82071e; --color-prettylights-syntax-markup-deleted-bg: #FFEBE9; --color-prettylights-syntax-markup-inserted-text: #116329; --color-prettylights-syntax-markup-inserted-bg: #dafbe1; --color-prettylights-syntax-markup-changed-text: #953800; --color-prettylights-syntax-markup-changed-bg: #ffd8b5; --color-prettylights-syntax-markup-ignored-text: #eaeef2; --color-prettylights-syntax-markup-ignored-bg: #0550ae; --color-prettylights-syntax-meta-diff-range: #8250df; --color-prettylights-syntax-brackethighlighter-angle: #57606a; --color-prettylights-syntax-sublimelinter-gutter-mark: #8c959f; --color-prettylights-syntax-constant-other-reference-link: #0a3069; --color-fg-default: #24292f; --color-fg-muted: #57606a; --color-fg-subtle: #6e7781; --color-canvas-default: #ffffff; --color-canvas-subtle: #f6f8fa; --color-border-default: #d0d7de; --color-border-muted: hsla(210,18%,87%,1); --color-neutral-muted: rgba(175,184,193,0.2); --color-accent-fg: #0969da; --color-accent-emphasis: #0969da; --color-attention-subtle: #fff8c5; --color-danger-fg: #cf222e; } [data-color-mode*='dark'], [data-color-mode*='dark'] body, markdown-style[theme*='dark'] { --color-prettylights-syntax-comment: #8b949e; --color-prettylights-syntax-constant: #79c0ff; --color-prettylights-syntax-entity: #d2a8ff; --color-prettylights-syntax-storage-modifier-import: #c9d1d9; --color-prettylights-syntax-entity-tag: #7ee787; --color-prettylights-syntax-keyword: #ff7b72; --color-prettylights-syntax-string: #a5d6ff; --color-prettylights-syntax-variable: #ffa657; --color-prettylights-syntax-brackethighlighter-unmatched: #f85149; --color-prettylights-syntax-invalid-illegal-text: #f0f6fc; --color-prettylights-syntax-invalid-illegal-bg: #8e1519; --color-prettylights-syntax-carriage-return-text: #f0f6fc; --color-prettylights-syntax-carriage-return-bg: #b62324; --color-prettylights-syntax-string-regexp: #7ee787; --color-prettylights-syntax-markup-list: #f2cc60; --color-prettylights-syntax-markup-heading: #1f6feb; --color-prettylights-syntax-markup-italic: #c9d1d9; --color-prettylights-syntax-markup-bold: #c9d1d9; --color-prettylights-syntax-markup-deleted-text: #ffdcd7; --color-prettylights-syntax-markup-deleted-bg: #67060c; --color-prettylights-syntax-markup-inserted-text: #aff5b4; --color-prettylights-syntax-markup-inserted-bg: #033a16; --color-prettylights-syntax-markup-changed-text: #ffdfb6; --color-prettylights-syntax-markup-changed-bg: #5a1e02; --color-prettylights-syntax-markup-ignored-text: #c9d1d9; --color-prettylights-syntax-markup-ignored-bg: #1158c7; --color-prettylights-syntax-meta-diff-range: #d2a8ff; --color-prettylights-syntax-brackethighlighter-angle: #8b949e; --color-prettylights-syntax-sublimelinter-gutter-mark: #484f58; --color-prettylights-syntax-constant-other-reference-link: #a5d6ff; --color-fg-default: #c9d1d9; --color-fg-muted: #8b949e; --color-fg-subtle: #484f58; --color-canvas-default: #0d1117; --color-canvas-subtle: #161b22; --color-border-default: #30363d; --color-border-muted: #21262d; --color-neutral-muted: rgba(110,118,129,0.4); --color-accent-fg: #58a6ff; --color-accent-emphasis: #1f6feb; --color-attention-subtle: rgba(187,128,9,0.15); --color-danger-fg: #f85149; } markdown-style { display: block; -webkit-text-size-adjust: 100%; font-family: -apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji"; font-size: 16px; line-height: 1.5; word-wrap: break-word; color: var(--color-fg-default); background-color: var(--color-canvas-default); } markdown-style details, markdown-style figcaption, markdown-style figure { display: block; } markdown-style summary { display: list-item; } markdown-style [hidden] { display: none !important; } markdown-style a { background-color: transparent; color: var(--color-accent-fg); text-decoration: none; } markdown-style a:active, markdown-style a:hover { outline-width: 0; } markdown-style abbr[title] { border-bottom: none; text-decoration: underline dotted; } markdown-style b, markdown-style strong { font-weight: 600; } markdown-style dfn { font-style: italic; } markdown-style h1 { margin: .67em 0; font-weight: 600; padding-bottom: .3em; font-size: 2em; border-bottom: 1px solid var(--color-border-muted); } markdown-style mark { background-color: var(--color-attention-subtle); color: var(--color-text-primary); } markdown-style small { font-size: 90%; } markdown-style sub, markdown-style sup { font-size: 75%; line-height: 0; position: relative; vertical-align: baseline; } markdown-style sub { bottom: -0.25em; } markdown-style sup { top: -0.5em; } markdown-style img { border-style: none; max-width: 100%; box-sizing: content-box; background-color: var(--color-canvas-default); } markdown-style code, markdown-style kbd, markdown-style pre, markdown-style samp { font-family: monospace,monospace; font-size: 1em; } markdown-style figure { margin: 1em 40px; } markdown-style hr { box-sizing: content-box; overflow: hidden; background: transparent; border-bottom: 1px solid var(--color-border-muted); height: .25em; padding: 0; margin: 24px 0; background-color: var(--color-border-default); border: 0; } markdown-style input { font: inherit; margin: 0; overflow: visible; font-family: inherit; font-size: inherit; line-height: inherit; } markdown-style [type=button], markdown-style [type=reset], markdown-style [type=submit] { -webkit-appearance: button; } markdown-style [type=button]::-moz-focus-inner, markdown-style [type=reset]::-moz-focus-inner, markdown-style [type=submit]::-moz-focus-inner { border-style: none; padding: 0; } markdown-style [type=button]:-moz-focusring, markdown-style [type=reset]:-moz-focusring, markdown-style [type=submit]:-moz-focusring { outline: 1px dotted ButtonText; } markdown-style [type=checkbox], markdown-style [type=radio] { box-sizing: border-box; padding: 0; } markdown-style [type=number]::-webkit-inner-spin-button, markdown-style [type=number]::-webkit-outer-spin-button { height: auto; } markdown-style [type=search] { -webkit-appearance: textfield; outline-offset: -2px; } markdown-style [type=search]::-webkit-search-cancel-button, markdown-style [type=search]::-webkit-search-decoration { -webkit-appearance: none; } markdown-style ::-webkit-input-placeholder { color: inherit; opacity: .54; } markdown-style ::-webkit-file-upload-button { -webkit-appearance: button; font: inherit; } markdown-style a:hover { text-decoration: underline; } markdown-style hr::before { display: table; content: ""; } markdown-style hr::after { display: table; clear: both; content: ""; } markdown-style table { border-spacing: 0; border-collapse: collapse; display: block; width: max-content; max-width: 100%; overflow: auto; } markdown-style td, markdown-style th { padding: 0; } markdown-style details summary { cursor: pointer; } markdown-style details:not([open])>*:not(summary) { display: none !important; } markdown-style kbd { display: inline-block; padding: 3px 5px; font: 11px ui-monospace,SFMono-Regular,SF Mono,Menlo,Consolas,Liberation Mono,monospace; line-height: 10px; color: var(--color-fg-default); vertical-align: middle; background-color: var(--color-canvas-subtle); border: solid 1px var(--color-neutral-muted); border-bottom-color: var(--color-neutral-muted); border-radius: 6px; box-shadow: inset 0 -1px 0 var(--color-neutral-muted); } markdown-style h1, markdown-style h2, markdown-style h3, markdown-style h4, markdown-style h5, markdown-style h6 { margin-top: 24px; margin-bottom: 16px; font-weight: 600; line-height: 1.25; } markdown-style h2 { font-weight: 600; padding-bottom: .3em; font-size: 1.5em; border-bottom: 1px solid var(--color-border-muted); } markdown-style h3 { font-weight: 600; font-size: 1.25em; } markdown-style h4 { font-weight: 600; font-size: 1em; } markdown-style h5 { font-weight: 600; font-size: .875em; } markdown-style h6 { font-weight: 600; font-size: .85em; color: var(--color-fg-muted); } markdown-style p { margin-top: 0; margin-bottom: 10px; } markdown-style blockquote { margin: 0; padding: 0 1em; color: var(--color-fg-muted); border-left: .25em solid var(--color-border-default); } markdown-style ul, markdown-style ol { margin-top: 0; margin-bottom: 0; padding-left: 2em; } markdown-style ol ol, markdown-style ul ol { list-style-type: lower-roman; } markdown-style ul ul ol, markdown-style ul ol ol, markdown-style ol ul ol, markdown-style ol ol ol { list-style-type: lower-alpha; } markdown-style dd { margin-left: 0; } markdown-style tt, markdown-style code { font-family: ui-monospace,SFMono-Regular,SF Mono,Menlo,Consolas,Liberation Mono,monospace; font-size: 12px; } markdown-style pre { margin-top: 0; margin-bottom: 0; font-family: ui-monospace,SFMono-Regular,SF Mono,Menlo,Consolas,Liberation Mono,monospace; font-size: 12px; word-wrap: normal; } markdown-style .octicon { display: inline-block; overflow: visible !important; vertical-align: text-bottom; fill: currentColor; } markdown-style ::placeholder { color: var(--color-fg-subtle); opacity: 1; } markdown-style input::-webkit-outer-spin-button, markdown-style input::-webkit-inner-spin-button { margin: 0; -webkit-appearance: none; appearance: none; }
markdown-style .token.comment, markdown-style .token.prolog, markdown-style .token.doctype, markdown-style .token.cdata { color: var(--color-prettylights-syntax-comment); } markdown-style .token.namespace { opacity: 0.7; } markdown-style .token.tag, markdown-style .token.selector, markdown-style .token.constant, markdown-style .token.symbol, markdown-style .token.deleted { color: var(--color-prettylights-syntax-entity-tag); } markdown-style .token.maybe-class-name { color: var(--color-prettylights-syntax-variable); } markdown-style .token.property-access, markdown-style .token.operator, markdown-style .token.boolean, markdown-style .token.number, markdown-style .token.selector markdown-style .token.class, markdown-style .token.attr-name, markdown-style .token.string, markdown-style .token.char, markdown-style .token.builtin { color: var(--color-prettylights-syntax-constant); } markdown-style .token.deleted { color: var(--color-prettylights-syntax-markup-deleted-text); } markdown-style .token.property { color: var(--color-prettylights-syntax-constant); } markdown-style .token.punctuation { color: var(--color-prettylights-syntax-markup-bold); } markdown-style .token.function { color: var(--color-prettylights-syntax-entity); } markdown-style .code-line .token.deleted { background-color: var(--color-prettylights-syntax-markup-deleted-bg); } markdown-style .token.inserted { color: var(--color-prettylights-syntax-markup-inserted-text); } markdown-style .code-line .token.inserted { background-color: var(--color-prettylights-syntax-markup-inserted-bg); } markdown-style .token.variable { color: var(--color-prettylights-syntax-constant); } markdown-style .token.entity, markdown-style .token.url, .language-css markdown-style .token.string, .style markdown-style .token.string { color: var(--color-prettylights-syntax-string); } markdown-style .token.color, markdown-style .token.atrule, markdown-style .token.attr-value, markdown-style .token.function, markdown-style .token.class-name { color: var(--color-prettylights-syntax-string); } markdown-style .token.rule, markdown-style .token.regex, markdown-style .token.important, markdown-style .token.keyword { color: var(--color-prettylights-syntax-keyword); } markdown-style .token.coord { color: var(--color-prettylights-syntax-meta-diff-range); } markdown-style .token.important, markdown-style .token.bold { font-weight: bold; } markdown-style .token.italic { font-style: italic; } markdown-style .token.entity { cursor: help; }
markdown-style [data-catalyst] { display: block; } markdown-style g-emoji { font-family: "Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol"; font-size: 1em; font-style: normal !important; font-weight: 400; line-height: 1; vertical-align: -0.075em; } markdown-style g-emoji img { width: 1em; height: 1em; } markdown-style::before { display: table; content: ""; } markdown-style::after { display: table; clear: both; content: ""; } markdown-style>*:first-child { margin-top: 0 !important; } markdown-style>*:last-child { margin-bottom: 0 !important; } markdown-style a:not([href]) { color: inherit; text-decoration: none; } markdown-style .absent { color: var(--color-danger-fg); } markdown-style a.anchor { float: left; padding-right: 4px; margin-left: -20px; line-height: 1; } markdown-style a.anchor:focus { outline: none; } markdown-style p, markdown-style blockquote, markdown-style ul, markdown-style ol, markdown-style dl, markdown-style table, markdown-style pre, markdown-style details { margin-top: 0; margin-bottom: 16px; } markdown-style blockquote>:first-child { margin-top: 0; } markdown-style blockquote>:last-child { margin-bottom: 0; } markdown-style sup>a::before { content: "["; } markdown-style sup>a::after { content: "]"; }
markdown-style .octicon-video { border: 1px solid #d0d7de !important; border-radius: 6px !important; display: block; } markdown-style .octicon-video summary { border-bottom: 1px solid #d0d7de !important; padding: 8px 16px !important; cursor: pointer; } markdown-style .octicon-video > video { display: block !important; max-width: 100% !important; padding: 2px; box-sizing: border-box; border-bottom-right-radius: 6px !important; border-bottom-left-radius: 6px !important; } markdown-style details.octicon-video:not([open])>*:not(summary) { display: none !important; } markdown-style details.octicon-video:not([open]) > summary { border-bottom: 0 !important; } markdown-style h1 .octicon-link, markdown-style h2 .octicon-link, markdown-style h3 .octicon-link, markdown-style h4 .octicon-link, markdown-style h5 .octicon-link, markdown-style h6 .octicon-link { color: var(--color-fg-default); vertical-align: middle; visibility: hidden; } markdown-style h1:hover .anchor, markdown-style h2:hover .anchor, markdown-style h3:hover .anchor, markdown-style h4:hover .anchor, markdown-style h5:hover .anchor, markdown-style h6:hover .anchor { text-decoration: none; } markdown-style h1:hover .anchor .octicon-link, markdown-style h2:hover .anchor .octicon-link, markdown-style h3:hover .anchor .octicon-link, markdown-style h4:hover .anchor .octicon-link, markdown-style h5:hover .anchor .octicon-link, markdown-style h6:hover .anchor .octicon-link { visibility: visible; } markdown-style h1 tt, markdown-style h1 code, markdown-style h2 tt, markdown-style h2 code, markdown-style h3 tt, markdown-style h3 code, markdown-style h4 tt, markdown-style h4 code, markdown-style h5 tt, markdown-style h5 code, markdown-style h6 tt, markdown-style h6 code { padding: 0 .2em; font-size: inherit; } markdown-style ul.no-list, markdown-style ol.no-list { padding: 0; list-style-type: none; } markdown-style ol[type="1"] { list-style-type: decimal; } markdown-style ol[type=a] { list-style-type: lower-alpha; } markdown-style ol[type=i] { list-style-type: lower-roman; } markdown-style div>ol:not([type]) { list-style-type: decimal; } markdown-style ul ul, markdown-style ul ol, markdown-style ol ol, markdown-style ol ul { margin-top: 0; margin-bottom: 0; } markdown-style li>p { margin-top: 16px; } markdown-style li+li { margin-top: .25em; } markdown-style dl { padding: 0; } markdown-style dl dt { padding: 0; margin-top: 16px; font-size: 1em; font-style: italic; font-weight: 600; } markdown-style dl dd { padding: 0 16px; margin-bottom: 16px; } markdown-style table th { font-weight: 600; } markdown-style table th, markdown-style table td { padding: 6px 13px; border: 1px solid var(--color-border-default); } markdown-style table tr { background-color: var(--color-canvas-default); border-top: 1px solid var(--color-border-muted); } markdown-style table tr:nth-child(2n) { background-color: var(--color-canvas-subtle); } markdown-style table img { background-color: transparent; vertical-align: middle; } markdown-style img[align=right] { padding-left: 20px; } markdown-style img[align=left] { padding-right: 20px; } markdown-style .emoji { max-width: none; vertical-align: text-top; background-color: transparent; } markdown-style span.frame { display: block; overflow: hidden; } markdown-style span.frame>span { display: block; float: left; width: auto; padding: 7px; margin: 13px 0 0; overflow: hidden; border: 1px solid var(--color-border-default); } markdown-style span.frame span img { display: block; float: left; } markdown-style span.frame span span { display: block; padding: 5px 0 0; clear: both; color: var(--color-fg-default); } markdown-style span.align-center { display: block; overflow: hidden; clear: both; } markdown-style span.align-center>span { display: block; margin: 13px auto 0; overflow: hidden; text-align: center; } markdown-style span.align-center span img { margin: 0 auto; text-align: center; } markdown-style span.align-right { display: block; overflow: hidden; clear: both; } markdown-style span.align-right>span { display: block; margin: 13px 0 0; overflow: hidden; text-align: right; } markdown-style span.align-right span img { margin: 0; text-align: right; } markdown-style span.float-left { display: block; float: left; margin-right: 13px; overflow: hidden; } markdown-style span.float-left span { margin: 13px 0 0; } markdown-style span.float-right { display: block; float: right; margin-left: 13px; overflow: hidden; } markdown-style span.float-right>span { display: block; margin: 13px auto 0; overflow: hidden; text-align: right; } markdown-style code, markdown-style tt { padding: .2em .4em; margin: 0; font-size: 85%; background-color: var(--color-neutral-muted); border-radius: 6px; } markdown-style code br, markdown-style tt br { display: none; } markdown-style del code { text-decoration: inherit; } markdown-style pre code { font-size: 100%; } markdown-style pre>code { padding: 0; margin: 0; word-break: normal; white-space: pre; background: transparent; border: 0; } markdown-style pre { position: relative; font-size: 85%; line-height: 1.45; background-color: var(--color-canvas-subtle); border-radius: 6px; } markdown-style pre code, markdown-style pre tt { display: inline; max-width: auto; padding: 0; margin: 0; overflow: visible; line-height: inherit; word-wrap: normal; background-color: transparent; border: 0; } markdown-style pre > code { padding: 16px; overflow: auto; display: block; } markdown-style .csv-data td, markdown-style .csv-data th { padding: 5px; overflow: hidden; font-size: 12px; line-height: 1; text-align: left; white-space: nowrap; } markdown-style .csv-data .blob-num { padding: 10px 8px 9px; text-align: right; background: var(--color-canvas-default); border: 0; } markdown-style .csv-data tr { border-top: 0; } markdown-style .csv-data th { font-weight: 600; background: var(--color-canvas-subtle); border-top: 0; } markdown-style .footnotes { font-size: 12px; color: var(--color-fg-muted); border-top: 1px solid var(--color-border-default); } markdown-style .footnotes ol { padding-left: 16px; } markdown-style .footnotes li { position: relative; } markdown-style .footnotes li:target::before { position: absolute; top: -8px; right: -8px; bottom: -8px; left: -24px; pointer-events: none; content: ""; border: 2px solid var(--color-accent-emphasis); border-radius: 6px; } markdown-style .footnotes li:target { color: var(--color-fg-default); } markdown-style .footnotes .data-footnote-backref g-emoji { font-family: monospace; } markdown-style .task-list-item { list-style-type: none; } markdown-style .task-list-item label { font-weight: 400; } markdown-style .task-list-item.enabled label { cursor: pointer; } markdown-style .task-list-item+.task-list-item { margin-top: 3px; } markdown-style .task-list-item .handle { display: none; } markdown-style .task-list-item-checkbox, markdown-style input[type="checkbox"] { margin: 0 .2em .25em -1.6em; vertical-align: middle; } markdown-style .contains-task-list:dir(rtl) .task-list-item-checkbox, markdown-style .contains-task-list:dir(rtl) input[type="checkbox"] { margin: 0 -1.6em .25em .2em; } markdown-style ::-webkit-calendar-picker-indicator { filter: invert(50%); }
</style>
<slot></slot>
`;
class MarkdownStyle extends HTMLElement {
    constructor() {
        super();
        this.shadow = this.attachShadow({ mode: 'open' });
        this.shadow.appendChild(__TEMPLATE__.content.cloneNode(true));
        const style = Array.prototype.slice
            .call(this.shadow.children)
            .find((item) => item.tagName === 'STYLE');
        if (style) {
            const id = '__MARKDOWN_STYLE__';
            const findStyle = document.getElementById(id);
            if (!findStyle) {
                style.id = id;
                document.head.append(style);
            }
        }
    }
    get theme() {
        const value = this.getAttribute('theme');
        return value === null ? '' : value;
    }
    set theme(name) {
        this.setAttribute('theme', name);
    }
    connectedCallback() {
        if (!this.theme) {
            const { colorMode } = document.documentElement.dataset;
            this.theme = colorMode;
            const observer = new MutationObserver((mutationsList, observer) => {
                this.theme = document.documentElement.dataset.colorMode;
            });
            observer.observe(document.documentElement, { attributes: true });
            window.matchMedia('(prefers-color-scheme: light)').onchange = (event) => {
                this.theme = event.matches ? 'light' : 'dark';
            };
            window.matchMedia('(prefers-color-scheme: dark)').onchange = (event) => {
                this.theme = event.matches ? 'dark' : 'light';
            };
        }
    }
}
customElements.define('markdown-style', MarkdownStyle);</script><markdown-style style="max-width: 960px; margin: 0 auto 60px auto; padding: 8px" class="markdown-style">
<h1 id="iptables"><a class="anchor" aria-hidden="true" tabindex="-1" href="#iptables"><span class="octicon octicon-link"></span></a>iptables</h1>
<p>Linux上常用的防火墙软件</p>
<h2 id="补充说明"><a class="anchor" aria-hidden="true" tabindex="-1" href="#补充说明"><span class="octicon octicon-link"></span></a>补充说明</h2>
<p><strong>iptables命令</strong> 是Linux上常用的防火墙软件，是netfilter项目的一部分。可以直接配置，也可以通过许多前端和图形界面配置。</p><!-- TOC -->
<ul>
  <li><a href="#%E8%A1%A5%E5%85%85%E8%AF%B4%E6%98%8E">补充说明</a>
    <ul>
      <li><a href="#%E8%AF%AD%E6%B3%95">语法</a></li>
      <li><a href="#%E9%80%89%E9%A1%B9">选项</a></li>
    </ul>
  </li>
  <li><a href="#%E5%9F%BA%E6%9C%AC%E5%8F%82%E6%95%B0">基本参数</a>
    <ul>
      <li><a href="#%E5%91%BD%E4%BB%A4%E9%80%89%E9%A1%B9%E8%BE%93%E5%85%A5%E9%A1%BA%E5%BA%8F">命令选项输入顺序</a></li>
      <li><a href="#%E5%B7%A5%E4%BD%9C%E6%9C%BA%E5%88%B6">工作机制</a></li>
      <li><a href="#%E9%98%B2%E7%81%AB%E5%A2%99%E7%9A%84%E7%AD%96%E7%95%A5">防火墙的策略</a></li>
      <li><a href="#%E9%98%B2%E7%81%AB%E5%A2%99%E7%9A%84%E7%AD%96%E7%95%A5-1">防火墙的策略</a></li>
      <li><a href="#%E5%AE%9E%E4%BE%8B">实例</a>
        <ul>
          <li><a href="#%E6%B8%85%E7%A9%BA%E5%BD%93%E5%89%8D%E7%9A%84%E6%89%80%E6%9C%89%E8%A7%84%E5%88%99%E5%92%8C%E8%AE%A1%E6%95%B0">清空当前的所有规则和计数</a></li>
          <li><a href="#%E9%85%8D%E7%BD%AE%E5%85%81%E8%AE%B8ssh%E7%AB%AF%E5%8F%A3%E8%BF%9E%E6%8E%A5">配置允许ssh端口连接</a></li>
          <li><a href="#%E5%85%81%E8%AE%B8%E6%9C%AC%E5%9C%B0%E5%9B%9E%E7%8E%AF%E5%9C%B0%E5%9D%80%E5%8F%AF%E4%BB%A5%E6%AD%A3%E5%B8%B8%E4%BD%BF%E7%94%A8">允许本地回环地址可以正常使用</a></li>
          <li><a href="#%E8%AE%BE%E7%BD%AE%E9%BB%98%E8%AE%A4%E7%9A%84%E8%A7%84%E5%88%99">设置默认的规则</a></li>
          <li><a href="#%E9%85%8D%E7%BD%AE%E7%99%BD%E5%90%8D%E5%8D%95">配置白名单</a></li>
          <li><a href="#%E5%BC%80%E5%90%AF%E7%9B%B8%E5%BA%94%E7%9A%84%E6%9C%8D%E5%8A%A1%E7%AB%AF%E5%8F%A3">开启相应的服务端口</a></li>
          <li><a href="#%E4%BF%9D%E5%AD%98%E8%A7%84%E5%88%99%E5%88%B0%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6%E4%B8%AD">保存规则到配置文件中</a></li>
          <li><a href="#%E5%88%97%E5%87%BA%E5%B7%B2%E8%AE%BE%E7%BD%AE%E7%9A%84%E8%A7%84%E5%88%99">列出已设置的规则</a></li>
          <li><a href="#%E6%B8%85%E9%99%A4%E5%B7%B2%E6%9C%89%E8%A7%84%E5%88%99">清除已有规则</a></li>
          <li><a href="#%E5%88%A0%E9%99%A4%E5%B7%B2%E6%B7%BB%E5%8A%A0%E7%9A%84%E8%A7%84%E5%88%99">删除已添加的规则</a></li>
          <li><a href="#%E5%BC%80%E6%94%BE%E6%8C%87%E5%AE%9A%E7%9A%84%E7%AB%AF%E5%8F%A3">开放指定的端口</a></li>
          <li><a href="#%E5%B1%8F%E8%94%BDip">屏蔽IP</a></li>
          <li><a href="#%E6%8C%87%E5%AE%9A%E6%95%B0%E6%8D%AE%E5%8C%85%E5%87%BA%E5%8E%BB%E7%9A%84%E7%BD%91%E7%BB%9C%E6%8E%A5%E5%8F%A3">指定数据包出去的网络接口</a></li>
          <li><a href="#%E6%9F%A5%E7%9C%8B%E5%B7%B2%E6%B7%BB%E5%8A%A0%E7%9A%84%E8%A7%84%E5%88%99">查看已添加的规则</a></li>
          <li><a href="#%E5%90%AF%E5%8A%A8%E7%BD%91%E7%BB%9C%E8%BD%AC%E5%8F%91%E8%A7%84%E5%88%99">启动网络转发规则</a></li>
          <li><a href="#%E7%AB%AF%E5%8F%A3%E6%98%A0%E5%B0%84">端口映射</a></li>
          <li><a href="#%E5%AD%97%E7%AC%A6%E4%B8%B2%E5%8C%B9%E9%85%8D">字符串匹配</a></li>
          <li><a href="#%E9%98%BB%E6%AD%A2windows%E8%A0%95%E8%99%AB%E7%9A%84%E6%94%BB%E5%87%BB">阻止Windows蠕虫的攻击</a></li>
          <li><a href="#%E9%98%B2%E6%AD%A2syn%E6%B4%AA%E6%B0%B4%E6%94%BB%E5%87%BB">防止SYN洪水攻击</a></li>
        </ul>
      </li>
    </ul>
  </li>
</ul><!-- /TOC -->
<h3 id="语法"><a class="anchor" aria-hidden="true" tabindex="-1" href="#语法"><span class="octicon octicon-link"></span></a>语法</h3>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line line-number" line="1">iptables<span class="token punctuation">(</span>选项<span class="token punctuation">)</span><span class="token punctuation">(</span>参数<span class="token punctuation">)</span>
</span></code><div onclick="copied(this)" data-code="iptables(选项)(参数)
" class="copied"><svg class="octicon-copy" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"></path><path fill-rule="evenodd" d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"></path></svg><svg class="octicon-check" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg></div></pre>
<h3 id="选项"><a class="anchor" aria-hidden="true" tabindex="-1" href="#选项"><span class="octicon octicon-link"></span></a>选项</h3>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line line-number" line="1">-t, <span class="token parameter variable">--table</span> table 对指定的表 table 进行操作， table 必须是 raw， nat，filter，mangle 中的一个。如果不指定此选项，默认的是 filter 表。
</span><span class="code-line line-number" line="2">
</span><span class="code-line line-number" line="3"><span class="token comment"># 通用匹配：源地址目标地址的匹配</span>
</span><span class="code-line line-number" line="4">-p：指定要匹配的数据包协议类型；
</span><span class="code-line line-number" line="5">-s, <span class="token parameter variable">--source</span> <span class="token punctuation">[</span><span class="token operator">!</span><span class="token punctuation">]</span> address<span class="token punctuation">[</span>/mask<span class="token punctuation">]</span> ：把指定的一个／一组地址作为源地址，按此规则进行过滤。当后面没有 mask 时，address 是一个地址，比如：192.168.1.1；当 mask 指定时，可以表示一组范围内的地址，比如：192.168.1.0/255.255.255.0。
</span><span class="code-line line-number" line="6">-d, <span class="token parameter variable">--destination</span> <span class="token punctuation">[</span><span class="token operator">!</span><span class="token punctuation">]</span> address<span class="token punctuation">[</span>/mask<span class="token punctuation">]</span> ：地址格式同上，但这里是指定地址为目的地址，按此进行过滤。
</span><span class="code-line line-number" line="7">-i, --in-interface <span class="token punctuation">[</span><span class="token operator">!</span><span class="token punctuation">]</span> <span class="token operator">&#x3C;</span>网络接口name<span class="token operator">></span> ：指定数据包的来自来自网络接口，比如最常见的 eth0 。注意：它只对 INPUT，FORWARD，PREROUTING 这三个链起作用。如果没有指定此选项， 说明可以来自任何一个网络接口。同前面类似，<span class="token string">"!"</span> 表示取反。
</span><span class="code-line line-number" line="8">-o, --out-interface <span class="token punctuation">[</span><span class="token operator">!</span><span class="token punctuation">]</span> <span class="token operator">&#x3C;</span>网络接口name<span class="token operator">></span> ：指定数据包出去的网络接口。只对 OUTPUT，FORWARD，POSTROUTING 三个链起作用。
</span><span class="code-line line-number" line="9">
</span><span class="code-line line-number" line="10"><span class="token comment"># 查看管理命令</span>
</span><span class="code-line line-number" line="11">-L, <span class="token parameter variable">--list</span> <span class="token punctuation">[</span>chain<span class="token punctuation">]</span> 列出链 chain 上面的所有规则，如果没有指定链，列出表上所有链的所有规则。
</span><span class="code-line line-number" line="12">
</span><span class="code-line line-number" line="13"><span class="token comment"># 规则管理命令</span>
</span><span class="code-line line-number" line="14">-A, <span class="token parameter variable">--append</span> chain rule-specification 在指定链 chain 的末尾插入指定的规则，也就是说，这条规则会被放到最后，最后才会被执行。规则是由后面的匹配来指定。
</span><span class="code-line line-number" line="15">-I, <span class="token parameter variable">--insert</span> chain <span class="token punctuation">[</span>rulenum<span class="token punctuation">]</span> rule-specification 在链 chain 中的指定位置插入一条或多条规则。如果指定的规则号是1，则在链的头部插入。这也是默认的情况，如果没有指定规则号。
</span><span class="code-line line-number" line="16">-D, <span class="token parameter variable">--delete</span> chain rule-specification -D, <span class="token parameter variable">--delete</span> chain rulenum 在指定的链 chain 中删除一个或多个指定规则。
</span><span class="code-line line-number" line="17"><span class="token parameter variable">-R</span> num：Replays替换/修改第几条规则
</span><span class="code-line line-number" line="18">
</span><span class="code-line line-number" line="19"><span class="token comment"># 链管理命令（这都是立即生效的）</span>
</span><span class="code-line line-number" line="20">-P, <span class="token parameter variable">--policy</span> chain target ：为指定的链 chain 设置策略 target。注意，只有内置的链才允许有策略，用户自定义的是不允许的。
</span><span class="code-line line-number" line="21">-F, <span class="token parameter variable">--flush</span> <span class="token punctuation">[</span>chain<span class="token punctuation">]</span> 清空指定链 chain 上面的所有规则。如果没有指定链，清空该表上所有链的所有规则。
</span><span class="code-line line-number" line="22">-N, --new-chain chain 用指定的名字创建一个新的链。
</span><span class="code-line line-number" line="23">-X, --delete-chain <span class="token punctuation">[</span>chain<span class="token punctuation">]</span> ：删除指定的链，这个链必须没有被其它任何规则引用，而且这条上必须没有任何规则。如果没有指定链名，则会删除该表中所有非内置的链。
</span><span class="code-line line-number" line="24">-E, --rename-chain old-chain new-chain ：用指定的新名字去重命名指定的链。这并不会对链内部造成任何影响。
</span><span class="code-line line-number" line="25">-Z, <span class="token parameter variable">--zero</span> <span class="token punctuation">[</span>chain<span class="token punctuation">]</span> ：把指定链，或者表中的所有链上的所有计数器清零。
</span><span class="code-line line-number" line="26">
</span><span class="code-line line-number" line="27">-j, <span class="token parameter variable">--jump</span> target <span class="token operator">&#x3C;</span>指定目标<span class="token operator">></span> ：即满足某条件时该执行什么样的动作。target 可以是内置的目标，比如 ACCEPT，也可以是用户自定义的链。
</span><span class="code-line line-number" line="28">-h：显示帮助信息；
</span></code><div onclick="copied(this)" data-code="-t, --table table 对指定的表 table 进行操作， table 必须是 raw， nat，filter，mangle 中的一个。如果不指定此选项，默认的是 filter 表。

# 通用匹配：源地址目标地址的匹配
-p：指定要匹配的数据包协议类型；
-s, --source [!] address[/mask] ：把指定的一个／一组地址作为源地址，按此规则进行过滤。当后面没有 mask 时，address 是一个地址，比如：192.168.1.1；当 mask 指定时，可以表示一组范围内的地址，比如：192.168.1.0/255.255.255.0。
-d, --destination [!] address[/mask] ：地址格式同上，但这里是指定地址为目的地址，按此进行过滤。
-i, --in-interface [!] <网络接口name> ：指定数据包的来自来自网络接口，比如最常见的 eth0 。注意：它只对 INPUT，FORWARD，PREROUTING 这三个链起作用。如果没有指定此选项， 说明可以来自任何一个网络接口。同前面类似，&#x22;!&#x22; 表示取反。
-o, --out-interface [!] <网络接口name> ：指定数据包出去的网络接口。只对 OUTPUT，FORWARD，POSTROUTING 三个链起作用。

# 查看管理命令
-L, --list [chain] 列出链 chain 上面的所有规则，如果没有指定链，列出表上所有链的所有规则。

# 规则管理命令
-A, --append chain rule-specification 在指定链 chain 的末尾插入指定的规则，也就是说，这条规则会被放到最后，最后才会被执行。规则是由后面的匹配来指定。
-I, --insert chain [rulenum] rule-specification 在链 chain 中的指定位置插入一条或多条规则。如果指定的规则号是1，则在链的头部插入。这也是默认的情况，如果没有指定规则号。
-D, --delete chain rule-specification -D, --delete chain rulenum 在指定的链 chain 中删除一个或多个指定规则。
-R num：Replays替换/修改第几条规则

# 链管理命令（这都是立即生效的）
-P, --policy chain target ：为指定的链 chain 设置策略 target。注意，只有内置的链才允许有策略，用户自定义的是不允许的。
-F, --flush [chain] 清空指定链 chain 上面的所有规则。如果没有指定链，清空该表上所有链的所有规则。
-N, --new-chain chain 用指定的名字创建一个新的链。
-X, --delete-chain [chain] ：删除指定的链，这个链必须没有被其它任何规则引用，而且这条上必须没有任何规则。如果没有指定链名，则会删除该表中所有非内置的链。
-E, --rename-chain old-chain new-chain ：用指定的新名字去重命名指定的链。这并不会对链内部造成任何影响。
-Z, --zero [chain] ：把指定链，或者表中的所有链上的所有计数器清零。

-j, --jump target <指定目标> ：即满足某条件时该执行什么样的动作。target 可以是内置的目标，比如 ACCEPT，也可以是用户自定义的链。
-h：显示帮助信息；
" class="copied"><svg class="octicon-copy" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"></path><path fill-rule="evenodd" d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"></path></svg><svg class="octicon-check" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg></div></pre>
<h2 id="基本参数"><a class="anchor" aria-hidden="true" tabindex="-1" href="#基本参数"><span class="octicon octicon-link"></span></a>基本参数</h2>

  
    
      
      
    
  
  
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
  
<table><thead><tr><th>参数</th><th>作用</th></tr></thead><tbody><tr><td>-P</td><td>设置默认策略:iptables -P INPUT (DROP</td></tr><tr><td>-F</td><td>清空规则链</td></tr><tr><td>-L</td><td>查看规则链</td></tr><tr><td>-A</td><td>在规则链的末尾加入新规则</td></tr><tr><td>-I</td><td>num 在规则链的头部加入新规则</td></tr><tr><td>-D</td><td>num 删除某一条规则</td></tr><tr><td>-s</td><td>匹配来源地址IP/MASK，加叹号"!"表示除这个IP外。</td></tr><tr><td>-d</td><td>匹配目标地址</td></tr><tr><td>-i</td><td>网卡名称 匹配从这块网卡流入的数据</td></tr><tr><td>-o</td><td>网卡名称 匹配从这块网卡流出的数据</td></tr><tr><td>-p</td><td>匹配协议,如tcp,udp,icmp</td></tr><tr><td>--dport num</td><td>匹配目标端口号</td></tr><tr><td>--sport num</td><td>匹配来源端口号</td></tr></tbody></table>
<h4 id="命令选项输入顺序"><a class="anchor" aria-hidden="true" tabindex="-1" href="#命令选项输入顺序"><span class="octicon octicon-link"></span></a>命令选项输入顺序</h4>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line line-number" line="1">iptables <span class="token parameter variable">-t</span> 表名 <span class="token operator">&#x3C;</span>-A/I/D/R<span class="token operator">></span> 规则链名 <span class="token punctuation">[</span>规则号<span class="token punctuation">]</span> <span class="token operator">&#x3C;</span>-i/o 网卡名<span class="token operator">></span> <span class="token parameter variable">-p</span> 协议名 <span class="token operator">&#x3C;</span>-s 源IP/源子网<span class="token operator">></span> <span class="token parameter variable">--sport</span> 源端口 <span class="token operator">&#x3C;</span>-d 目标IP/目标子网<span class="token operator">></span> <span class="token parameter variable">--dport</span> 目标端口 <span class="token parameter variable">-j</span> 动作
</span></code><div onclick="copied(this)" data-code="iptables -t 表名 <-A/I/D/R> 规则链名 [规则号] <-i/o 网卡名> -p 协议名 <-s 源IP/源子网> --sport 源端口 <-d 目标IP/目标子网> --dport 目标端口 -j 动作
" class="copied"><svg class="octicon-copy" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"></path><path fill-rule="evenodd" d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"></path></svg><svg class="octicon-check" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg></div></pre>
<h4 id="工作机制"><a class="anchor" aria-hidden="true" tabindex="-1" href="#工作机制"><span class="octicon octicon-link"></span></a>工作机制</h4>
<p>规则链名包括(也被称为五个钩子函数（hook functions）)：</p>
<ul>
  <li><strong>INPUT链</strong> ：处理输入数据包。</li>
  <li><strong>OUTPUT链</strong> ：处理输出数据包。</li>
  <li><strong>FORWARD链</strong> ：处理转发数据包。</li>
  <li><strong>PREROUTING链</strong> ：用于目标地址转换（DNAT）。</li>
  <li><strong>POSTOUTING链</strong> ：用于源地址转换（SNAT）。</li>
</ul>
<h4 id="防火墙的策略"><a class="anchor" aria-hidden="true" tabindex="-1" href="#防火墙的策略"><span class="octicon octicon-link"></span></a>防火墙的策略</h4>
<p>防火墙策略一般分为两种，一种叫<code>通</code>策略，一种叫<code>堵</code>策略，通策略，默认门是关着的，必须要定义谁能进。堵策略则是，大门是洞开的，但是你必须有身份认证，否则不能进。所以我们要定义，让进来的进来，让出去的出去，<code>所以通，是要全通，而堵，则是要选择</code>。当我们定义的策略的时候，要分别定义多条功能，其中：定义数据包中允许或者不允许的策略，filter过滤的功能，而定义地址转换的功能的则是nat选项。为了让这些功能交替工作，我们制定出了“表”这个定义，来定义、区分各种不同的工作功能和处理方式。</p>
<p>我们现在用的比较多个功能有3个：</p>
<ol>
  <li>filter 定义允许或者不允许的，只能做在3个链上：INPUT ，FORWARD ，OUTPUT</li>
  <li>nat 定义地址转换的，也只能做在3个链上：PREROUTING ，OUTPUT ，POSTROUTING</li>
  <li>mangle功能:修改报文原数据，是5个链都可以做：PREROUTING，INPUT，FORWARD，OUTPUT，POSTROUTING</li>
</ol>
<p>我们修改报文原数据就是来修改TTL的。能够实现将数据包的元数据拆开，在里面做标记/修改内容的。而防火墙标记，其实就是靠mangle来实现的。</p>
<p>小扩展:</p>
<ul>
  <li>对于filter来讲一般只能做在3个链上：INPUT ，FORWARD ，OUTPUT</li>
  <li>对于nat来讲一般也只能做在3个链上：PREROUTING ，OUTPUT ，POSTROUTING</li>
  <li>而mangle则是5个链都可以做：PREROUTING，INPUT，FORWARD，OUTPUT，POSTROUTING</li>
</ul>
<p>iptables/netfilter（这款软件）是工作在用户空间的，它可以让规则进行生效的，本身不是一种服务，而且规则是立即生效的。而我们iptables现在被做成了一个服务，可以进行启动，停止的。启动，则将规则直接生效，停止，则将规则撤销。</p>
<p>iptables还支持自己定义链。但是自己定义的链，必须是跟某种特定的链关联起来的。在一个关卡设定，指定当有数据的时候专门去找某个特定的链来处理，当那个链处理完之后，再返回。接着在特定的链中继续检查。</p>
<p>注意：规则的次序非常关键，<code>谁的规则越严格，应该放的越靠前</code>，而检查规则的时候，是按照从上往下的方式进行检查的。</p>
<p>表名包括：</p>
<ul>
  <li><strong>raw</strong> ：高级功能，如：网址过滤。</li>
  <li><strong>mangle</strong> ：数据包修改（QOS），用于实现服务质量。</li>
  <li><strong>nat</strong> ：地址转换，用于网关路由器。</li>
  <li><strong>filter</strong> ：包过滤，用于防火墙规则。</li>
</ul>
<p>动作包括：</p>
<ul>
  <li><strong>ACCEPT</strong> ：接收数据包。</li>
  <li><strong>DROP</strong> ：丢弃数据包。</li>
  <li><strong>REDIRECT</strong> ：重定向、映射、透明代理。</li>
  <li><strong>SNAT</strong> ：源地址转换。</li>
  <li><strong>DNAT</strong> ：目标地址转换。</li>
  <li><strong>MASQUERADE</strong> ：IP伪装（NAT），用于ADSL。</li>
  <li><strong>LOG</strong> ：日志记录。</li>
  <li><strong>SEMARK</strong> : 添加SEMARK标记以供网域内强制访问控制（MAC）</li>
</ul>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line line-number" line="1">                             ┏╍╍╍╍╍╍╍╍╍╍╍╍╍╍╍┓
</span><span class="code-line line-number" line="2"> ┌───────────────┐           ┃    Network    ┃
</span><span class="code-line line-number" line="3"> │ table: filter │           ┗━━━━━━━┳━━━━━━━┛
</span><span class="code-line line-number" line="4"> │ chain: INPUT  │◀────┐             │
</span><span class="code-line line-number" line="5"> └───────┬───────┘     │             ▼
</span><span class="code-line line-number" line="6">         │             │   ┌───────────────────┐
</span><span class="code-line line-number" line="7">  ┌      ▼      ┐      │   │ table: nat        │
</span><span class="code-line line-number" line="8">  │local process│      │   │ chain: PREROUTING │
</span><span class="code-line line-number" line="9">  └             ┘      │   └─────────┬─────────┘
</span><span class="code-line line-number" line="10">         │             │             │
</span><span class="code-line line-number" line="11">         ▼             │             ▼              ┌─────────────────┐
</span><span class="code-line line-number" line="12">┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅    │     ┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅      │table: nat       │
</span><span class="code-line line-number" line="13"> Routing decision      └───── outing decision ─────▶│chain: PREROUTING│
</span><span class="code-line line-number" line="14">┅┅┅┅┅┅┅┅┅┳┅┅┅┅┅┅┅┅┅          ┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅      └────────┬────────┘
</span><span class="code-line line-number" line="15">         │                                                   │
</span><span class="code-line line-number" line="16">         ▼                                                   │
</span><span class="code-line line-number" line="17"> ┌───────────────┐                                           │
</span><span class="code-line line-number" line="18"> │ table: nat    │           ┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅               │
</span><span class="code-line line-number" line="19"> │ chain: OUTPUT │    ┌─────▶ outing decision ◀──────────────┘
</span><span class="code-line line-number" line="20"> └───────┬───────┘    │      ┅┅┅┅┅┅┅┅┳┅┅┅┅┅┅┅┅
</span><span class="code-line line-number" line="21">         │            │              │
</span><span class="code-line line-number" line="22">         ▼            │              ▼
</span><span class="code-line line-number" line="23"> ┌───────────────┐    │   ┌────────────────────┐
</span><span class="code-line line-number" line="24"> │ table: filter │    │   │ chain: POSTROUTING │
</span><span class="code-line line-number" line="25"> │ chain: OUTPUT ├────┘   └──────────┬─────────┘
</span><span class="code-line line-number" line="26"> └───────────────┘                   │
</span><span class="code-line line-number" line="27">                                     ▼
</span><span class="code-line line-number" line="28">                             ┏╍╍╍╍╍╍╍╍╍╍╍╍╍╍╍┓
</span><span class="code-line line-number" line="29">                             ┃    Network    ┃
</span><span class="code-line line-number" line="30">                             ┗━━━━━━━━━━━━━━━┛
</span></code><div onclick="copied(this)" data-code="                             ┏╍╍╍╍╍╍╍╍╍╍╍╍╍╍╍┓
 ┌───────────────┐           ┃    Network    ┃
 │ table: filter │           ┗━━━━━━━┳━━━━━━━┛
 │ chain: INPUT  │◀────┐             │
 └───────┬───────┘     │             ▼
         │             │   ┌───────────────────┐
  ┌      ▼      ┐      │   │ table: nat        │
  │local process│      │   │ chain: PREROUTING │
  └             ┘      │   └─────────┬─────────┘
         │             │             │
         ▼             │             ▼              ┌─────────────────┐
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅    │     ┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅      │table: nat       │
 Routing decision      └───── outing decision ─────▶│chain: PREROUTING│
┅┅┅┅┅┅┅┅┅┳┅┅┅┅┅┅┅┅┅          ┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅      └────────┬────────┘
         │                                                   │
         ▼                                                   │
 ┌───────────────┐                                           │
 │ table: nat    │           ┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅               │
 │ chain: OUTPUT │    ┌─────▶ outing decision ◀──────────────┘
 └───────┬───────┘    │      ┅┅┅┅┅┅┅┅┳┅┅┅┅┅┅┅┅
         │            │              │
         ▼            │              ▼
 ┌───────────────┐    │   ┌────────────────────┐
 │ table: filter │    │   │ chain: POSTROUTING │
 │ chain: OUTPUT ├────┘   └──────────┬─────────┘
 └───────────────┘                   │
                                     ▼
                             ┏╍╍╍╍╍╍╍╍╍╍╍╍╍╍╍┓
                             ┃    Network    ┃
                             ┗━━━━━━━━━━━━━━━┛
" class="copied"><svg class="octicon-copy" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"></path><path fill-rule="evenodd" d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"></path></svg><svg class="octicon-check" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg></div></pre>
<h3 id="实例"><a class="anchor" aria-hidden="true" tabindex="-1" href="#实例"><span class="octicon octicon-link"></span></a>实例</h3>
<h4 id="清空当前的所有规则和计数"><a class="anchor" aria-hidden="true" tabindex="-1" href="#清空当前的所有规则和计数"><span class="octicon octicon-link"></span></a>清空当前的所有规则和计数</h4>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line line-number" line="1">iptables <span class="token parameter variable">-F</span>  <span class="token comment"># 清空所有的防火墙规则</span>
</span><span class="code-line line-number" line="2">iptables <span class="token parameter variable">-X</span>  <span class="token comment"># 删除用户自定义的空链</span>
</span><span class="code-line line-number" line="3">iptables <span class="token parameter variable">-Z</span>  <span class="token comment"># 清空计数</span>
</span></code><div onclick="copied(this)" data-code="iptables -F  # 清空所有的防火墙规则
iptables -X  # 删除用户自定义的空链
iptables -Z  # 清空计数
" class="copied"><svg class="octicon-copy" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"></path><path fill-rule="evenodd" d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"></path></svg><svg class="octicon-check" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg></div></pre>
<h4 id="配置允许ssh端口连接"><a class="anchor" aria-hidden="true" tabindex="-1" href="#配置允许ssh端口连接"><span class="octicon octicon-link"></span></a>配置允许ssh端口连接</h4>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line line-number" line="1">iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.1.0/24 <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">22</span> <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line line-number" line="2"><span class="token comment"># 22为你的ssh端口， -s 192.168.1.0/24表示允许这个网段的机器来连接，其它网段的ip地址是登陆不了你的机器的。 -j ACCEPT表示接受这样的请求</span>
</span></code><div onclick="copied(this)" data-code="iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
# 22为你的ssh端口， -s 192.168.1.0/24表示允许这个网段的机器来连接，其它网段的ip地址是登陆不了你的机器的。 -j ACCEPT表示接受这样的请求
" class="copied"><svg class="octicon-copy" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"></path><path fill-rule="evenodd" d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"></path></svg><svg class="octicon-check" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg></div></pre>
<h4 id="允许本地回环地址可以正常使用"><a class="anchor" aria-hidden="true" tabindex="-1" href="#允许本地回环地址可以正常使用"><span class="octicon octicon-link"></span></a>允许本地回环地址可以正常使用</h4>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line line-number" line="1">iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-i</span> lo <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line line-number" line="2"><span class="token comment">#本地圆环地址就是那个127.0.0.1，是本机上使用的,它进与出都设置为允许</span>
</span><span class="code-line line-number" line="3">iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-o</span> lo <span class="token parameter variable">-j</span> ACCEPT
</span></code><div onclick="copied(this)" data-code="iptables -A INPUT -i lo -j ACCEPT
#本地圆环地址就是那个127.0.0.1，是本机上使用的,它进与出都设置为允许
iptables -A OUTPUT -o lo -j ACCEPT
" class="copied"><svg class="octicon-copy" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"></path><path fill-rule="evenodd" d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"></path></svg><svg class="octicon-check" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg></div></pre>
<h4 id="设置默认的规则"><a class="anchor" aria-hidden="true" tabindex="-1" href="#设置默认的规则"><span class="octicon octicon-link"></span></a>设置默认的规则</h4>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line line-number" line="1">iptables <span class="token parameter variable">-P</span> INPUT DROP <span class="token comment"># 配置默认的不让进</span>
</span><span class="code-line line-number" line="2">iptables <span class="token parameter variable">-P</span> FORWARD DROP <span class="token comment"># 默认的不允许转发</span>
</span><span class="code-line line-number" line="3">iptables <span class="token parameter variable">-P</span> OUTPUT ACCEPT <span class="token comment"># 默认的可以出去</span>
</span></code><div onclick="copied(this)" data-code="iptables -P INPUT DROP # 配置默认的不让进
iptables -P FORWARD DROP # 默认的不允许转发
iptables -P OUTPUT ACCEPT # 默认的可以出去
" class="copied"><svg class="octicon-copy" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"></path><path fill-rule="evenodd" d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"></path></svg><svg class="octicon-check" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg></div></pre>
<h4 id="配置白名单"><a class="anchor" aria-hidden="true" tabindex="-1" href="#配置白名单"><span class="octicon octicon-link"></span></a>配置白名单</h4>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line line-number" line="1">iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> all <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.1.0/24 <span class="token parameter variable">-j</span> ACCEPT  <span class="token comment"># 允许机房内网机器可以访问</span>
</span><span class="code-line line-number" line="2">iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> all <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.140.0/24 <span class="token parameter variable">-j</span> ACCEPT  <span class="token comment"># 允许机房内网机器可以访问</span>
</span><span class="code-line line-number" line="3">iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-s</span> <span class="token number">183.121</span>.3.7 <span class="token parameter variable">--dport</span> <span class="token number">3380</span> <span class="token parameter variable">-j</span> ACCEPT <span class="token comment"># 允许183.121.3.7访问本机的3380端口</span>
</span></code><div onclick="copied(this)" data-code="iptables -A INPUT -p all -s 192.168.1.0/24 -j ACCEPT  # 允许机房内网机器可以访问
iptables -A INPUT -p all -s 192.168.140.0/24 -j ACCEPT  # 允许机房内网机器可以访问
iptables -A INPUT -p tcp -s 183.121.3.7 --dport 3380 -j ACCEPT # 允许183.121.3.7访问本机的3380端口
" class="copied"><svg class="octicon-copy" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"></path><path fill-rule="evenodd" d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"></path></svg><svg class="octicon-check" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg></div></pre>
<h4 id="开启相应的服务端口"><a class="anchor" aria-hidden="true" tabindex="-1" href="#开启相应的服务端口"><span class="octicon octicon-link"></span></a>开启相应的服务端口</h4>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line line-number" line="1">iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">80</span> <span class="token parameter variable">-j</span> ACCEPT <span class="token comment"># 开启80端口，因为web对外都是这个端口</span>
</span><span class="code-line line-number" line="2">iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> icmp --icmp-type <span class="token number">8</span> <span class="token parameter variable">-j</span> ACCEPT <span class="token comment"># 允许被ping</span>
</span><span class="code-line line-number" line="3">iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-m</span> state <span class="token parameter variable">--state</span> ESTABLISHED,RELATED <span class="token parameter variable">-j</span> ACCEPT <span class="token comment"># 已经建立的连接得让它进来</span>
</span></code><div onclick="copied(this)" data-code="iptables -A INPUT -p tcp --dport 80 -j ACCEPT # 开启80端口，因为web对外都是这个端口
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT # 允许被ping
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # 已经建立的连接得让它进来
" class="copied"><svg class="octicon-copy" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"></path><path fill-rule="evenodd" d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"></path></svg><svg class="octicon-check" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg></div></pre>
<h4 id="保存规则到配置文件中"><a class="anchor" aria-hidden="true" tabindex="-1" href="#保存规则到配置文件中"><span class="octicon octicon-link"></span></a>保存规则到配置文件中</h4>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line line-number" line="1"><span class="token function">cp</span> /etc/sysconfig/iptables /etc/sysconfig/iptables.bak <span class="token comment"># 任何改动之前先备份，请保持这一优秀的习惯</span>
</span><span class="code-line line-number" line="2">iptables-save <span class="token operator">></span> /etc/sysconfig/iptables
</span><span class="code-line line-number" line="3"><span class="token function">cat</span> /etc/sysconfig/iptables
</span></code><div onclick="copied(this)" data-code="cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bak # 任何改动之前先备份，请保持这一优秀的习惯
iptables-save > /etc/sysconfig/iptables
cat /etc/sysconfig/iptables
" class="copied"><svg class="octicon-copy" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"></path><path fill-rule="evenodd" d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"></path></svg><svg class="octicon-check" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg></div></pre>
<h4 id="列出已设置的规则"><a class="anchor" aria-hidden="true" tabindex="-1" href="#列出已设置的规则"><span class="octicon octicon-link"></span></a>列出已设置的规则</h4>
<blockquote>
  <p>iptables -L [-t 表名] [链名]</p>
</blockquote>
<ul>
  <li>四个表名 <code>raw</code>，<code>nat</code>，<code>filter</code>，<code>mangle</code></li>
  <li>五个规则链名 <code>INPUT</code>、<code>OUTPUT</code>、<code>FORWARD</code>、<code>PREROUTING</code>、<code>POSTROUTING</code></li>
  <li>filter表包含<code>INPUT</code>、<code>OUTPUT</code>、<code>FORWARD</code>三个规则链</li>
</ul>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line line-number" line="1">iptables <span class="token parameter variable">-L</span> <span class="token parameter variable">-t</span> nat                  <span class="token comment"># 列出 nat 上面的所有规则</span>
</span><span class="code-line line-number" line="2"><span class="token comment">#            ^ -t 参数指定，必须是 raw， nat，filter，mangle 中的一个</span>
</span><span class="code-line line-number" line="3">iptables <span class="token parameter variable">-L</span> <span class="token parameter variable">-t</span> nat  --line-numbers  <span class="token comment"># 规则带编号</span>
</span><span class="code-line line-number" line="4">iptables <span class="token parameter variable">-L</span> INPUT
</span><span class="code-line line-number" line="5">
</span><span class="code-line line-number" line="6">iptables <span class="token parameter variable">-L</span> <span class="token parameter variable">-nv</span>  <span class="token comment"># 查看，这个列表看起来更详细</span>
</span></code><div onclick="copied(this)" data-code="iptables -L -t nat                  # 列出 nat 上面的所有规则
#            ^ -t 参数指定，必须是 raw， nat，filter，mangle 中的一个
iptables -L -t nat  --line-numbers  # 规则带编号
iptables -L INPUT

iptables -L -nv  # 查看，这个列表看起来更详细
" class="copied"><svg class="octicon-copy" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"></path><path fill-rule="evenodd" d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"></path></svg><svg class="octicon-check" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg></div></pre>
<h4 id="清除已有规则"><a class="anchor" aria-hidden="true" tabindex="-1" href="#清除已有规则"><span class="octicon octicon-link"></span></a>清除已有规则</h4>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line line-number" line="1">iptables <span class="token parameter variable">-F</span> INPUT  <span class="token comment"># 清空指定链 INPUT 上面的所有规则</span>
</span><span class="code-line line-number" line="2">iptables <span class="token parameter variable">-X</span> INPUT  <span class="token comment"># 删除指定的链，这个链必须没有被其它任何规则引用，而且这条上必须没有任何规则。</span>
</span><span class="code-line line-number" line="3">                   <span class="token comment"># 如果没有指定链名，则会删除该表中所有非内置的链。</span>
</span><span class="code-line line-number" line="4">iptables <span class="token parameter variable">-Z</span> INPUT  <span class="token comment"># 把指定链，或者表中的所有链上的所有计数器清零。</span>
</span></code><div onclick="copied(this)" data-code="iptables -F INPUT  # 清空指定链 INPUT 上面的所有规则
iptables -X INPUT  # 删除指定的链，这个链必须没有被其它任何规则引用，而且这条上必须没有任何规则。
                   # 如果没有指定链名，则会删除该表中所有非内置的链。
iptables -Z INPUT  # 把指定链，或者表中的所有链上的所有计数器清零。
" class="copied"><svg class="octicon-copy" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"></path><path fill-rule="evenodd" d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"></path></svg><svg class="octicon-check" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg></div></pre>
<h4 id="删除已添加的规则"><a class="anchor" aria-hidden="true" tabindex="-1" href="#删除已添加的规则"><span class="octicon octicon-link"></span></a>删除已添加的规则</h4>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line line-number" line="1"><span class="token comment"># 添加一条规则</span>
</span><span class="code-line line-number" line="2">iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.1.5 <span class="token parameter variable">-j</span> DROP
</span></code><div onclick="copied(this)" data-code="# 添加一条规则
iptables -A INPUT -s 192.168.1.5 -j DROP
" class="copied"><svg class="octicon-copy" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"></path><path fill-rule="evenodd" d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"></path></svg><svg class="octicon-check" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg></div></pre>
<p>将所有iptables以序号标记显示，执行：</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line line-number" line="1">iptables <span class="token parameter variable">-L</span> <span class="token parameter variable">-n</span> --line-numbers
</span></code><div onclick="copied(this)" data-code="iptables -L -n --line-numbers
" class="copied"><svg class="octicon-copy" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"></path><path fill-rule="evenodd" d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"></path></svg><svg class="octicon-check" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg></div></pre>
<p>比如要删除INPUT里序号为8的规则，执行：</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line line-number" line="1">iptables <span class="token parameter variable">-D</span> INPUT <span class="token number">8</span>
</span></code><div onclick="copied(this)" data-code="iptables -D INPUT 8
" class="copied"><svg class="octicon-copy" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"></path><path fill-rule="evenodd" d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"></path></svg><svg class="octicon-check" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg></div></pre>
<h4 id="开放指定的端口"><a class="anchor" aria-hidden="true" tabindex="-1" href="#开放指定的端口"><span class="octicon octicon-link"></span></a>开放指定的端口</h4>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line line-number" line="1">iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">127.0</span>.0.1 <span class="token parameter variable">-d</span> <span class="token number">127.0</span>.0.1 <span class="token parameter variable">-j</span> ACCEPT               <span class="token comment">#允许本地回环接口(即运行本机访问本机)</span>
</span><span class="code-line line-number" line="2">iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-m</span> state <span class="token parameter variable">--state</span> ESTABLISHED,RELATED <span class="token parameter variable">-j</span> ACCEPT    <span class="token comment">#允许已建立的或相关连的通行</span>
</span><span class="code-line line-number" line="3">iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-j</span> ACCEPT         <span class="token comment">#允许所有本机向外的访问</span>
</span><span class="code-line line-number" line="4">iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">22</span> <span class="token parameter variable">-j</span> ACCEPT    <span class="token comment">#允许访问22端口</span>
</span><span class="code-line line-number" line="5">iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">80</span> <span class="token parameter variable">-j</span> ACCEPT    <span class="token comment">#允许访问80端口</span>
</span><span class="code-line line-number" line="6">iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">21</span> <span class="token parameter variable">-j</span> ACCEPT    <span class="token comment">#允许ftp服务的21端口</span>
</span><span class="code-line line-number" line="7">iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">20</span> <span class="token parameter variable">-j</span> ACCEPT    <span class="token comment">#允许FTP服务的20端口</span>
</span><span class="code-line line-number" line="8">iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-j</span> reject       <span class="token comment">#禁止其他未允许的规则访问</span>
</span><span class="code-line line-number" line="9">iptables <span class="token parameter variable">-A</span> FORWARD <span class="token parameter variable">-j</span> REJECT     <span class="token comment">#禁止其他未允许的规则访问</span>
</span></code><div onclick="copied(this)" data-code="iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT               #允许本地回环接口(即运行本机访问本机)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT    #允许已建立的或相关连的通行
iptables -A OUTPUT -j ACCEPT         #允许所有本机向外的访问
iptables -A INPUT -p tcp --dport 22 -j ACCEPT    #允许访问22端口
iptables -A INPUT -p tcp --dport 80 -j ACCEPT    #允许访问80端口
iptables -A INPUT -p tcp --dport 21 -j ACCEPT    #允许ftp服务的21端口
iptables -A INPUT -p tcp --dport 20 -j ACCEPT    #允许FTP服务的20端口
iptables -A INPUT -j reject       #禁止其他未允许的规则访问
iptables -A FORWARD -j REJECT     #禁止其他未允许的规则访问
" class="copied"><svg class="octicon-copy" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"></path><path fill-rule="evenodd" d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"></path></svg><svg class="octicon-check" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg></div></pre>
<h4 id="屏蔽ip"><a class="anchor" aria-hidden="true" tabindex="-1" href="#屏蔽ip"><span class="octicon octicon-link"></span></a>屏蔽IP</h4>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line line-number" line="1">iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-m</span> tcp <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.0.8 <span class="token parameter variable">-j</span> DROP  <span class="token comment"># 屏蔽恶意主机（比如，192.168.0.8</span>
</span><span class="code-line line-number" line="2">iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">123.45</span>.6.7 <span class="token parameter variable">-j</span> DROP       <span class="token comment">#屏蔽单个IP的命令</span>
</span><span class="code-line line-number" line="3">iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">123.0</span>.0.0/8 <span class="token parameter variable">-j</span> DROP      <span class="token comment">#封整个段即从123.0.0.1到123.255.255.254的命令</span>
</span><span class="code-line line-number" line="4">iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">124.45</span>.0.0/16 <span class="token parameter variable">-j</span> DROP    <span class="token comment">#封IP段即从123.45.0.1到123.45.255.254的命令</span>
</span><span class="code-line line-number" line="5">iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">123.45</span>.6.0/24 <span class="token parameter variable">-j</span> DROP    <span class="token comment">#封IP段即从123.45.6.1到123.45.6.254的命令是</span>
</span></code><div onclick="copied(this)" data-code="iptables -A INPUT -p tcp -m tcp -s 192.168.0.8 -j DROP  # 屏蔽恶意主机（比如，192.168.0.8
iptables -I INPUT -s 123.45.6.7 -j DROP       #屏蔽单个IP的命令
iptables -I INPUT -s 123.0.0.0/8 -j DROP      #封整个段即从123.0.0.1到123.255.255.254的命令
iptables -I INPUT -s 124.45.0.0/16 -j DROP    #封IP段即从123.45.0.1到123.45.255.254的命令
iptables -I INPUT -s 123.45.6.0/24 -j DROP    #封IP段即从123.45.6.1到123.45.6.254的命令是
" class="copied"><svg class="octicon-copy" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"></path><path fill-rule="evenodd" d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"></path></svg><svg class="octicon-check" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg></div></pre>
<h4 id="指定数据包出去的网络接口"><a class="anchor" aria-hidden="true" tabindex="-1" href="#指定数据包出去的网络接口"><span class="octicon octicon-link"></span></a>指定数据包出去的网络接口</h4>
<p>只对 OUTPUT，FORWARD，POSTROUTING 三个链起作用。</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line line-number" line="1">iptables <span class="token parameter variable">-A</span> FORWARD <span class="token parameter variable">-o</span> eth0
</span></code><div onclick="copied(this)" data-code="iptables -A FORWARD -o eth0
" class="copied"><svg class="octicon-copy" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"></path><path fill-rule="evenodd" d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"></path></svg><svg class="octicon-check" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg></div></pre>
<h4 id="查看已添加的规则"><a class="anchor" aria-hidden="true" tabindex="-1" href="#查看已添加的规则"><span class="octicon octicon-link"></span></a>查看已添加的规则</h4>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line line-number" line="1">iptables <span class="token parameter variable">-L</span> <span class="token parameter variable">-n</span> <span class="token parameter variable">-v</span>
</span><span class="code-line line-number" line="2">Chain INPUT <span class="token punctuation">(</span>policy DROP <span class="token number">48106</span> packets, 2690K bytes<span class="token punctuation">)</span>
</span><span class="code-line line-number" line="3"> pkts bytes target     prot opt <span class="token keyword">in</span>     out     <span class="token builtin class-name">source</span>               destination
</span><span class="code-line line-number" line="4"> <span class="token number">5075</span>  589K ACCEPT     all  --  lo     *       <span class="token number">0.0</span>.0.0/0            <span class="token number">0.0</span>.0.0/0
</span><span class="code-line line-number" line="5"> 191K   90M ACCEPT     tcp  --  *      *       <span class="token number">0.0</span>.0.0/0            <span class="token number">0.0</span>.0.0/0           tcp dpt:22
</span><span class="code-line line-number" line="6">1499K  133M ACCEPT     tcp  --  *      *       <span class="token number">0.0</span>.0.0/0            <span class="token number">0.0</span>.0.0/0           tcp dpt:80
</span><span class="code-line line-number" line="7">4364K 6351M ACCEPT     all  --  *      *       <span class="token number">0.0</span>.0.0/0            <span class="token number">0.0</span>.0.0/0           state RELATED,ESTABLISHED
</span><span class="code-line line-number" line="8"> <span class="token number">6256</span>  327K ACCEPT     icmp --  *      *       <span class="token number">0.0</span>.0.0/0            <span class="token number">0.0</span>.0.0/0
</span><span class="code-line line-number" line="9">
</span><span class="code-line line-number" line="10">Chain FORWARD <span class="token punctuation">(</span>policy ACCEPT <span class="token number">0</span> packets, <span class="token number">0</span> bytes<span class="token punctuation">)</span>
</span><span class="code-line line-number" line="11"> pkts bytes target     prot opt <span class="token keyword">in</span>     out     <span class="token builtin class-name">source</span>               destination
</span><span class="code-line line-number" line="12">
</span><span class="code-line line-number" line="13">Chain OUTPUT <span class="token punctuation">(</span>policy ACCEPT 3382K packets, 1819M bytes<span class="token punctuation">)</span>
</span><span class="code-line line-number" line="14"> pkts bytes target     prot opt <span class="token keyword">in</span>     out     <span class="token builtin class-name">source</span>               destination
</span><span class="code-line line-number" line="15"> <span class="token number">5075</span>  589K ACCEPT     all  --  *      lo      <span class="token number">0.0</span>.0.0/0            <span class="token number">0.0</span>.0.0/0
</span></code><div onclick="copied(this)" data-code="iptables -L -n -v
Chain INPUT (policy DROP 48106 packets, 2690K bytes)
 pkts bytes target     prot opt in     out     source               destination
 5075  589K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
 191K   90M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
1499K  133M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
4364K 6351M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
 6256  327K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 3382K packets, 1819M bytes)
 pkts bytes target     prot opt in     out     source               destination
 5075  589K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
" class="copied"><svg class="octicon-copy" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"></path><path fill-rule="evenodd" d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"></path></svg><svg class="octicon-check" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg></div></pre>
<h4 id="启动网络转发规则"><a class="anchor" aria-hidden="true" tabindex="-1" href="#启动网络转发规则"><span class="octicon octicon-link"></span></a>启动网络转发规则</h4>
<p>公网<code>210.14.67.7</code>让内网<code>192.168.188.0/24</code>上网</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line line-number" line="1">iptables <span class="token parameter variable">-t</span> nat <span class="token parameter variable">-A</span> POSTROUTING <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.188.0/24 <span class="token parameter variable">-j</span> SNAT --to-source <span class="token number">210.14</span>.67.127
</span></code><div onclick="copied(this)" data-code="iptables -t nat -A POSTROUTING -s 192.168.188.0/24 -j SNAT --to-source 210.14.67.127
" class="copied"><svg class="octicon-copy" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"></path><path fill-rule="evenodd" d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"></path></svg><svg class="octicon-check" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg></div></pre>
<h4 id="端口映射"><a class="anchor" aria-hidden="true" tabindex="-1" href="#端口映射"><span class="octicon octicon-link"></span></a>端口映射</h4>
<p>本机的 2222 端口映射到内网 虚拟机的22 端口</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line line-number" line="1">iptables <span class="token parameter variable">-t</span> nat <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-d</span> <span class="token number">210.14</span>.67.127 <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">2222</span>  <span class="token parameter variable">-j</span> DNAT --to-dest <span class="token number">192.168</span>.188.115:22
</span></code><div onclick="copied(this)" data-code="iptables -t nat -A PREROUTING -d 210.14.67.127 -p tcp --dport 2222  -j DNAT --to-dest 192.168.188.115:22
" class="copied"><svg class="octicon-copy" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"></path><path fill-rule="evenodd" d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"></path></svg><svg class="octicon-check" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg></div></pre>
<h4 id="字符串匹配"><a class="anchor" aria-hidden="true" tabindex="-1" href="#字符串匹配"><span class="octicon octicon-link"></span></a>字符串匹配</h4>
<p>比如，我们要过滤所有TCP连接中的字符串<code>test</code>，一旦出现它我们就终止这个连接，我们可以这么做：</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line line-number" line="1">iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-m</span> string <span class="token parameter variable">--algo</span> kmp <span class="token parameter variable">--string</span> <span class="token string">"test"</span> <span class="token parameter variable">-j</span> REJECT --reject-with tcp-reset
</span><span class="code-line line-number" line="2">iptables <span class="token parameter variable">-L</span>
</span><span class="code-line line-number" line="3">
</span><span class="code-line line-number" line="4"><span class="token comment"># Chain INPUT (policy ACCEPT)</span>
</span><span class="code-line line-number" line="5"><span class="token comment"># target     prot opt source               destination</span>
</span><span class="code-line line-number" line="6"><span class="token comment"># REJECT     tcp  --  anywhere             anywhere            STRING match "test" ALGO name kmp TO 65535 reject-with tcp-reset</span>
</span><span class="code-line line-number" line="7"><span class="token comment">#</span>
</span><span class="code-line line-number" line="8"><span class="token comment"># Chain FORWARD (policy ACCEPT)</span>
</span><span class="code-line line-number" line="9"><span class="token comment"># target     prot opt source               destination</span>
</span><span class="code-line line-number" line="10"><span class="token comment">#</span>
</span><span class="code-line line-number" line="11"><span class="token comment"># Chain OUTPUT (policy ACCEPT)</span>
</span><span class="code-line line-number" line="12"><span class="token comment"># target     prot opt source               destination</span>
</span></code><div onclick="copied(this)" data-code="iptables -A INPUT -p tcp -m string --algo kmp --string &#x22;test&#x22; -j REJECT --reject-with tcp-reset
iptables -L

# Chain INPUT (policy ACCEPT)
# target     prot opt source               destination
# REJECT     tcp  --  anywhere             anywhere            STRING match &#x22;test&#x22; ALGO name kmp TO 65535 reject-with tcp-reset
#
# Chain FORWARD (policy ACCEPT)
# target     prot opt source               destination
#
# Chain OUTPUT (policy ACCEPT)
# target     prot opt source               destination
" class="copied"><svg class="octicon-copy" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"></path><path fill-rule="evenodd" d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"></path></svg><svg class="octicon-check" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg></div></pre>
<h4 id="阻止windows蠕虫的攻击"><a class="anchor" aria-hidden="true" tabindex="-1" href="#阻止windows蠕虫的攻击"><span class="octicon octicon-link"></span></a>阻止Windows蠕虫的攻击</h4>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line line-number" line="1">iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-j</span> DROP <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-s</span> <span class="token number">0.0</span>.0.0/0 <span class="token parameter variable">-m</span> string <span class="token parameter variable">--algo</span> kmp <span class="token parameter variable">--string</span> <span class="token string">"cmd.exe"</span>
</span></code><div onclick="copied(this)" data-code="iptables -I INPUT -j DROP -p tcp -s 0.0.0.0/0 -m string --algo kmp --string &#x22;cmd.exe&#x22;
" class="copied"><svg class="octicon-copy" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"></path><path fill-rule="evenodd" d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"></path></svg><svg class="octicon-check" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg></div></pre>
<h4 id="防止syn洪水攻击"><a class="anchor" aria-hidden="true" tabindex="-1" href="#防止syn洪水攻击"><span class="octicon octicon-link"></span></a>防止SYN洪水攻击</h4>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line line-number" line="1">iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--syn</span> <span class="token parameter variable">-m</span> limit <span class="token parameter variable">--limit</span> <span class="token number">5</span>/second <span class="token parameter variable">-j</span> ACCEPT
</span></code><div onclick="copied(this)" data-code="iptables -A INPUT -p tcp --syn -m limit --limit 5/second -j ACCEPT
" class="copied"><svg class="octicon-copy" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"></path><path fill-rule="evenodd" d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"></path></svg><svg class="octicon-check" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg></div></pre>
<h4 id="添加secmark记录"><a class="anchor" aria-hidden="true" tabindex="-1" href="#添加secmark记录"><span class="octicon octicon-link"></span></a>添加SECMARK记录</h4>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line line-number" line="1">iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--src</span> <span class="token number">192.168</span>.1.2 <span class="token parameter variable">--dport</span> <span class="token number">443</span> <span class="token parameter variable">-j</span> SECMARK <span class="token parameter variable">--selctx</span> system_u:object_r:myauth_packet_t
</span><span class="code-line line-number" line="2"><span class="token comment"># 向从 192.168.1.2:443 以TCP方式发出到本机的包添加MAC安全上下文 system_u:object_r:myauth_packet_t</span>
</span></code><div onclick="copied(this)" data-code="iptables -t mangle -A INPUT -p tcp --src 192.168.1.2 --dport 443 -j SECMARK --selctx system_u:object_r:myauth_packet_t
# 向从 192.168.1.2:443 以TCP方式发出到本机的包添加MAC安全上下文 system_u:object_r:myauth_packet_t
" class="copied"><svg class="octicon-copy" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"></path><path fill-rule="evenodd" d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"></path></svg><svg class="octicon-check" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg></div></pre>
<h2 id="更多实例"><a class="anchor" aria-hidden="true" tabindex="-1" href="#更多实例"><span class="octicon octicon-link"></span></a>更多实例</h2>
<blockquote>
  <p>用iptables搭建一套强大的安全防护盾 <a href="http://www.imooc.com/learn/389">http://www.imooc.com/learn/389</a></p>
</blockquote>
<p>iptables: linux 下应用层防火墙工具</p>
<p>
  iptables 5链: 对应 Hook point
  netfilter: linux 操作系统核心层内部的一个数据包处理模块
  Hook point: 数据包在 netfilter 中的挂载点; <code>PRE_ROUTING / INPUT / OUTPUT / FORWARD / POST_ROUTING</code>
</p>
<p>
  iptables &#x26; netfilter
  
  <img src="http://7xq89b.com1.z0.glb.clouddn.com/netfilter&#x26;iptables.jpg" alt="">
</p>
<p>
  iptables 4表5链
  
  <img src="http://7xq89b.com1.z0.glb.clouddn.com/iptables-data-stream.jpg" alt="">
</p>
<p>
  iptables rules
  
  <img src="http://7xq89b.com1.z0.glb.clouddn.com/iptables-rules.jpg" alt="">
</p>
<ul>
  <li>4表</li>
</ul>
<p>
  <strong>filter</strong>: 访问控制 / 规则匹配
  <strong>nat</strong>: 地址转发
  mangle / raw
</p>
<ul>
  <li>规则</li>
</ul>
<p>
  数据访问控制: ACCEPT / DROP / REJECT
  数据包改写(nat -> 地址转换): snat / dnat
  信息记录: log
</p>
<h2 id="使用场景实例"><a class="anchor" aria-hidden="true" tabindex="-1" href="#使用场景实例"><span class="octicon octicon-link"></span></a>使用场景实例</h2>
<ul>
  <li>场景一</li>
</ul>
<p>
  开放 tcp 10-22/80 端口
  开放 icmp
  其他未被允许的端口禁止访问
</p>
<p>存在的问题: 本机无法访问本机; 本机无法访问其他主机</p>
<ul>
  <li>场景二</li>
</ul>
<p>
  ftp: 默认被动模式(服务器产生随机端口告诉客户端, 客户端主动连接这个端口拉取数据)
  vsftpd: 使 ftp 支持主动模式(客户端产生随机端口通知服务器, 服务器主动连接这个端口发送数据)
</p>
<ul>
  <li>场景三</li>
</ul>
<p>
  允许外网访问:
  web
  http -> 80/tcp; https -> 443/tcp
  mail
  smtp -> 25/tcp; smtps -> 465/tcp
  pop3 -> 110/tcp; pop3s -> 995/tcp
  imap -> 143/tcp
</p>
<p>
  内部使用:
  file
  nfs -> 123/udp
  samba -> 137/138/139/445/tcp
  ftp -> 20/21/tcp
  remote
  ssh -> 22/tcp
  sql
  mysql -> 3306/tcp
  oracle -> 1521/tcp
</p>
<ul>
  <li>场景四</li>
</ul>
<p>nat 转发</p>
<ul>
  <li>场景五</li>
</ul>
<p>防CC攻击</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line line-number" line="1">iptables <span class="token parameter variable">-L</span> <span class="token parameter variable">-F</span> <span class="token parameter variable">-A</span> <span class="token parameter variable">-D</span> <span class="token comment"># list flush append delete</span>
</span><span class="code-line line-number" line="2"><span class="token comment"># 场景一</span>
</span><span class="code-line line-number" line="3">iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">80</span> <span class="token parameter variable">-j</span> ACCEPT <span class="token comment"># 允许 tcp 80 端口</span>
</span><span class="code-line line-number" line="4">iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">10</span>:22 <span class="token parameter variable">-j</span> ACCEPT <span class="token comment"># 允许 tcp 10-22 端口</span>
</span><span class="code-line line-number" line="5">iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-p</span> icmp <span class="token parameter variable">-j</span> ACCEPT <span class="token comment"># 允许 icmp</span>
</span><span class="code-line line-number" line="6">iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-j</span> REJECT <span class="token comment"># 添加一条规则, 不允许所有</span>
</span><span class="code-line line-number" line="7">
</span><span class="code-line line-number" line="8"><span class="token comment"># 优化场景一</span>
</span><span class="code-line line-number" line="9">iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-i</span> lo <span class="token parameter variable">-j</span> ACCEPT <span class="token comment"># 允许本机访问</span>
</span><span class="code-line line-number" line="10">iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-m</span> state <span class="token parameter variable">--state</span> ESTABLISHED,RELATED <span class="token parameter variable">-j</span> ACCEPT <span class="token comment"># 允许访问外网</span>
</span><span class="code-line line-number" line="11">iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">80</span> <span class="token parameter variable">-s</span> <span class="token number">10.10</span>.188.233 <span class="token parameter variable">-j</span> ACCEPT <span class="token comment"># 只允许固定ip访问80</span>
</span><span class="code-line line-number" line="12">
</span><span class="code-line line-number" line="13"><span class="token comment"># 场景二</span>
</span><span class="code-line line-number" line="14"><span class="token function">vi</span> /etc/vsftpd/vsftpd.conf <span class="token comment"># 使用 vsftpd 开启 ftp 主动模式</span>
</span><span class="code-line line-number" line="15"><span class="token assign-left variable">port_enable</span><span class="token operator">=</span>yes
</span><span class="code-line line-number" line="16"><span class="token assign-left variable">connect_from_port_20</span><span class="token operator">=</span>YES
</span><span class="code-line line-number" line="17">iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">21</span> <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line line-number" line="18">
</span><span class="code-line line-number" line="19"><span class="token function">vi</span> /etc/vsftpd/vsftpd.conf <span class="token comment"># 建议使用 ftp 被动模式</span>
</span><span class="code-line line-number" line="20"><span class="token assign-left variable">pasv_min_port</span><span class="token operator">=</span><span class="token number">50000</span>
</span><span class="code-line line-number" line="21"><span class="token assign-left variable">pasv_max_port</span><span class="token operator">=</span><span class="token number">60000</span>
</span><span class="code-line line-number" line="22">iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">21</span> <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line line-number" line="23">iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">50000</span>:60000 <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line line-number" line="24">
</span><span class="code-line line-number" line="25"><span class="token comment"># 还可以使用 iptables 模块追踪来自动开发对应的端口</span>
</span><span class="code-line line-number" line="26">
</span><span class="code-line line-number" line="27"><span class="token comment"># 场景三</span>
</span><span class="code-line line-number" line="28">iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-i</span> lo <span class="token parameter variable">-j</span> ACCEPT <span class="token comment"># 允许本机访问</span>
</span><span class="code-line line-number" line="29">iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-m</span> state <span class="token parameter variable">--state</span> ESTABLISHED,RELATED <span class="token parameter variable">-j</span> ACCEPT <span class="token comment"># 允许访问外网</span>
</span><span class="code-line line-number" line="30">iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">10.10</span>.155.0/24 <span class="token parameter variable">-j</span> ACCEPT <span class="token comment"># 允许内网访问</span>
</span><span class="code-line line-number" line="31">iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-m</span> multiport <span class="token parameter variable">--dports</span> <span class="token number">80,1723</span> <span class="token parameter variable">-j</span> ACCEPT <span class="token comment"># 允许端口, 80 -> http, 1723 -> vpn</span>
</span><span class="code-line line-number" line="32">iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-j</span> REJECT <span class="token comment"># 添加一条规则, 不允许所有</span>
</span><span class="code-line line-number" line="33">
</span><span class="code-line line-number" line="34">iptables-save <span class="token comment"># 保存设置到配置文件</span>
</span><span class="code-line line-number" line="35">
</span><span class="code-line line-number" line="36"><span class="token comment"># 场景四</span>
</span><span class="code-line line-number" line="37">iptables <span class="token parameter variable">-t</span> nat <span class="token parameter variable">-L</span> <span class="token comment"># 查看 nat 配置</span>
</span><span class="code-line line-number" line="38">
</span><span class="code-line line-number" line="39">iptables <span class="token parameter variable">-t</span> nat <span class="token parameter variable">-A</span> POST_ROUTING <span class="token parameter variable">-s</span> <span class="token number">10.10</span>.177.0/24 <span class="token parameter variable">-j</span> SNAT <span class="token parameter variable">--to</span> <span class="token number">10.10</span>.188.232 <span class="token comment"># SNAT</span>
</span><span class="code-line line-number" line="40"><span class="token function">vi</span> /etc/sysconfig/network <span class="token comment"># 配置网关</span>
</span><span class="code-line line-number" line="41">
</span><span class="code-line line-number" line="42">iptables <span class="token parameter variable">-t</span> nat <span class="token parameter variable">-A</span> POST_ROUTING <span class="token parameter variable">-d</span> <span class="token number">10.10</span>.188.232 <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">80</span> <span class="token parameter variable">-j</span> DNAT <span class="token parameter variable">--to</span> <span class="token number">10.10</span>.177.232:80 <span class="token comment"># DNAT</span>
</span><span class="code-line line-number" line="43">
</span><span class="code-line line-number" line="44"><span class="token comment">#场景五</span>
</span><span class="code-line line-number" line="45">iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--syn</span> <span class="token parameter variable">--dport</span> <span class="token number">80</span> <span class="token parameter variable">-m</span> connlimit --connlimit-above <span class="token number">100</span> <span class="token parameter variable">-j</span> REJECT <span class="token comment"># 限制并发连接访问数</span>
</span><span class="code-line line-number" line="46">iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-m</span> limit <span class="token parameter variable">--limit</span> <span class="token number">3</span>/hour --limit-burst <span class="token number">10</span> <span class="token parameter variable">-j</span> ACCEPT <span class="token comment"># limit模块; --limit-burst 默认为5</span>
</span></code><div onclick="copied(this)" data-code="iptables -L -F -A -D # list flush append delete
# 场景一
iptables -I INPUT -p tcp --dport 80 -j ACCEPT # 允许 tcp 80 端口
iptables -I INPUT -p tcp --dport 10:22 -j ACCEPT # 允许 tcp 10-22 端口
iptables -I INPUT -p icmp -j ACCEPT # 允许 icmp
iptables -A INPUT -j REJECT # 添加一条规则, 不允许所有

# 优化场景一
iptables -I INPUT -i lo -j ACCEPT # 允许本机访问
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # 允许访问外网
iptables -I INPUT -p tcp --dport 80 -s 10.10.188.233 -j ACCEPT # 只允许固定ip访问80

# 场景二
vi /etc/vsftpd/vsftpd.conf # 使用 vsftpd 开启 ftp 主动模式
port_enable=yes
connect_from_port_20=YES
iptables -I INPUT -p tcp --dport 21 -j ACCEPT

vi /etc/vsftpd/vsftpd.conf # 建议使用 ftp 被动模式
pasv_min_port=50000
pasv_max_port=60000
iptables -I INPUT -p tcp --dport 21 -j ACCEPT
iptables -I INPUT -p tcp --dport 50000:60000 -j ACCEPT

# 还可以使用 iptables 模块追踪来自动开发对应的端口

# 场景三
iptables -I INPUT -i lo -j ACCEPT # 允许本机访问
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # 允许访问外网
iptables -I INPUT -s 10.10.155.0/24 -j ACCEPT # 允许内网访问
iptables -I INPUT -p tcp -m multiport --dports 80,1723 -j ACCEPT # 允许端口, 80 -> http, 1723 -> vpn
iptables -A INPUT -j REJECT # 添加一条规则, 不允许所有

iptables-save # 保存设置到配置文件

# 场景四
iptables -t nat -L # 查看 nat 配置

iptables -t nat -A POST_ROUTING -s 10.10.177.0/24 -j SNAT --to 10.10.188.232 # SNAT
vi /etc/sysconfig/network # 配置网关

iptables -t nat -A POST_ROUTING -d 10.10.188.232 -p tcp --dport 80 -j DNAT --to 10.10.177.232:80 # DNAT

#场景五
iptables -I INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 100 -j REJECT # 限制并发连接访问数
iptables -I INPUT -m limit --limit 3/hour --limit-burst 10 -j ACCEPT # limit模块; --limit-burst 默认为5
" class="copied"><svg class="octicon-copy" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"></path><path fill-rule="evenodd" d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"></path></svg><svg class="octicon-check" aria-hidden="true" viewBox="0 0 16 16" fill="currentColor" height="12" width="12"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg></div></pre>
<style>markdown-style pre .copied {
  display: flex;
  position: absolute;
  cursor: pointer;
  color: #a5afbb;
  top: 6px;
  right: 6px;
  border-radius: 5px;
  background: #82828226;
  padding: 6px;
  font-size: 12px;
  transition: all .3s;
}
markdown-style pre .copied:not(.active) {
  visibility: hidden;
}
markdown-style pre:hover .copied {
  visibility: visible;
}
markdown-style pre:hover .copied:hover {
  background: #4caf50;
  color: #fff;
}
markdown-style pre:hover .copied:active,
markdown-style pre .copied.active {
  background: #2e9b33;
  color: #fff;
}
markdown-style pre .copied .octicon-copy {
  display: block;
}
markdown-style pre .copied .octicon-check {
  display: none;
}
markdown-style pre .active .octicon-copy {
  display: none;
}
markdown-style pre .active .octicon-check {
  display: block;
}</style><script>/*! @uiw/copy-to-clipboard v1.0.12 | MIT (c) 2021 Kenny Wang | https://github.com/uiwjs/copy-to-clipboard.git */
!function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):(e="undefined"!=typeof globalThis?globalThis:e||self).copyTextToClipboard=t()}(this,(function(){"use strict";return function(e,t){const o=document.createElement("textarea");o.value=e,o.setAttribute("readonly",""),o.style={position:"absolute",left:"-9999px"},document.body.appendChild(o);const n=document.getSelection().rangeCount>0&&document.getSelection().getRangeAt(0);o.select();let c=!1;try{c=!!document.execCommand("copy")}catch(e){c=!1}document.body.removeChild(o),n&&document.getSelection&&(document.getSelection().removeAllRanges(),document.getSelection().addRange(n)),t&&t(c)}}));

function copied(target, str) {
  target.classList.add('active');
  copyTextToClipboard(target.dataset.code, function() {
    setTimeout(() => {
      target.classList.remove('active');
    }, 2000);
  });
}</script></markdown-style>

</div>
<!-- Linux命令行搜索引擎：https://jaywcjlove.github.io/linux-command/ -->
<div class="footer ">
  <a target="_blank" href="https://github.com/jaywcjlove/linux-command/new/master/command">添加命令</a> |
  <a href="../hot.html">命令列表</a> |
  <a href="https://github.com/jaywcjlove/oscnews" target="_blank">Chrome 插件</a> |
  <a href="https://github.com/jaywcjlove/linux-command/releases" target="_blank">Alfred</a> |
  <a href="https://jaywcjlove.github.io/linux-command/linux-command.docset.zip" target="_blank">Dash</a> |
  <a href="https://github.com/roachsinai/krunner-linuxcommands" target="_blank">Krunner</a> |
  <a href="http://jaywcjlove.gitee.io/linux-command/" target="_blank">开源中国Web版</a>
  <br />
  <a href="https://github.com/jaywcjlove/linux-command" target="_blank">Github</a> |
  <a href="https://jaywcjlove.github.io/linux-command/" target="_blank">短地址：https://git.io/linux</a>
  <br />
  收藏本站请使用 Ctrl+D 或者Command+d
  <br /> 共搜集到
  <span id="commands_info">
    587
  </span> 个Linux命令，超过 <a href="../contributors.html">50+</a> 贡献者
</div>
<script type="text/javascript" src="../js/dt.js?v=1671615307306"></script>
<script type="text/javascript" src="../js/index.js?v=1671615307306"></script>
</body>
</html>